snyk-1.434.3.tgz: 30 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com]

Vulnerable Library - snyk-1.434.3.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.434.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (snyk version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	1.518.0	✅	Reachable
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	1.434.4	✅	Reachable
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌	Reachable
CVE-2021-28918	Critical	9.1	netmask-1.0.6.tgz	Transitive	1.518.0	✅	Reachable
CVE-2021-23406	High	8.1	detected in multiple dependencies	Transitive	1.518.0	✅	Reachable
CVE-2022-40764	High	7.8	snyk-1.434.3.tgz	Direct	1.996.0	✅	Reachable
CVE-2024-4068	High	7.5	braces-3.0.2.tgz	Transitive	N/A*	❌	Reachable
CVE-2020-26301	High	7.5	ssh2-0.8.9.tgz	Transitive	1.685.0	✅	Reachable
CVE-2022-48285	High	7.3	detected in multiple dependencies	Transitive	1.685.0	✅	Reachable
CVE-2023-48795	Medium	5.9	ssh2-0.8.9.tgz	Transitive	N/A*	❌	Reachable
CVE-2022-24441	Medium	5.8	snyk-1.434.3.tgz	Direct	1.1064.0	✅	Reachable
CVE-2024-4067	Medium	5.3	micromatch-4.0.2.tgz	Transitive	1.685.0	✅	Reachable
CVE-2023-0842	Medium	5.3	xml2js-0.4.23.tgz	Transitive	1.685.0	✅	Reachable
CVE-2022-25883	Medium	5.3	semver-6.3.0.tgz	Transitive	1.685.0	✅	Reachable
CVE-2021-29418	Medium	5.3	netmask-1.0.6.tgz	Transitive	1.518.0	✅	Reachable
CVE-2021-23413	Medium	5.3	detected in multiple dependencies	Transitive	1.667.0	✅	Reachable
CVE-2021-23362	Medium	5.3	detected in multiple dependencies	Transitive	1.434.4	✅	Reachable
CVE-2021-43138	High	7.8	async-3.2.0.tgz	Transitive	1.434.4	✅	Unreachable
CVE-2021-3807	High	7.5	detected in multiple dependencies	Transitive	1.434.4	✅	Unreachable
CVE-2021-33502	High	7.5	normalize-url-4.5.0.tgz	Transitive	1.434.4	✅	Unreachable
CVE-2021-23490	High	7.5	parse-link-header-1.0.1.tgz	Transitive	1.611.0	✅	Unreachable
CVE-2020-7788	High	7.3	detected in multiple dependencies	Transitive	1.434.4	✅	Unreachable
CVE-2020-7598	Medium	5.6	minimist-1.2.0.tgz	Transitive	1.434.4	✅	Unreachable
CVE-2023-26115	Medium	5.3	word-wrap-1.2.3.tgz	Transitive	1.434.4	✅	Unreachable
CVE-2022-33987	Medium	5.3	detected in multiple dependencies	Transitive	1.685.0	✅	Unreachable
CVE-2022-25881	Medium	5.3	http-cache-semantics-4.1.0.tgz	Transitive	1.434.4	✅	Unreachable
CVE-2022-22984	Medium	5.0	detected in multiple dependencies	Transitive	1.685.0	✅	Unreachable
CVE-2024-48963	Critical	9.8	snyk-php-plugin-1.9.2.tgz	Transitive	N/A*	❌
CVE-2024-48964	High	8.8	snyk-gradle-plugin-3.10.3.tgz	Transitive	1.685.0	✅
CVE-2024-21538	High	7.5	cross-spawn-6.0.5.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • pac-resolver-3.0.0.tgz
        • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

ip-1.1.5/lib/ip.js (Application)
  -> socks-2.3.3/build/client/socksclient.js (Extension)
   -> socks-2.3.3/build/index.js (Extension)
    -> snyk-1.434.3/dist/lib/request/request.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (snyk): 1.518.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.5.tgz, minimist-1.2.0.tgz

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json,/node_modules/snyk/node_modules/minimist/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-config-4.0.0-rc.2.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • update-notifier-4.1.3.tgz
    • latest-version-5.1.0.tgz
      • package-json-6.5.0.tgz
        • registry-url-5.1.0.tgz
          • rc-1.2.8.tgz
            • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

verdaccio-2.3.1/package.json (Application)
  -> snyk-1.434.3/dist/cli/index.js (Extension)
   -> snyk-1.434.3/dist/lib/analytics.js (Extension)
    -> snyk-1.434.3/dist/lib/config.js (Extension)
    ...
      -> snyk-config-4.0.0/dist/nconf/nconf.js (Extension)
       -> snyk-config-4.0.0/dist/nconf/nconf/stores/argv.js (Extension)
        -> ❌ minimist-1.2.5/index.js (Vulnerable Component)

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (snyk): 1.434.4

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (snyk): 1.434.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • pac-resolver-3.0.0.tgz
        • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

ip-1.1.5/lib/ip.js (Application)
  -> socks-2.3.3/build/client/socksclient.js (Extension)
   -> socks-2.3.3/build/index.js (Extension)
    -> snyk-1.434.3/dist/lib/request/request.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Mend Note: We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2021-28918

Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • pac-resolver-3.0.0.tgz
        • ❌ netmask-1.0.6.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

netmask-1.0.6/lib/netmask.js (Application)
  -> pac-resolver-3.0.0/isInNet.js (Extension)
   -> pac-resolver-3.0.0/index.js (Extension)
    -> snyk-1.434.3/dist/lib/request/request.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Publish Date: 2021-04-01

URL: CVE-2021-28918

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pch5-whg9-qr2r

Release Date: 2021-04-01

Fix Resolution (netmask): 2.0.1

Direct dependency fix Resolution (snyk): 1.518.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23406

Vulnerable Libraries - pac-resolver-3.0.0.tgz, degenerator-1.0.4.tgz

pac-resolver-3.0.0.tgz

Generates an asynchronous resolver function from a PAC file

Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pac-resolver/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • ❌ pac-resolver-3.0.0.tgz (Vulnerable Library)

degenerator-1.0.4.tgz

Turns sync functions into async generator functions

Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/degenerator/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • pac-resolver-3.0.0.tgz
        • ❌ degenerator-1.0.4.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

pac-resolver-3.0.0/index.js (Application)
  -> pac-proxy-agent-3.0.1/index.js (Extension)
   -> proxy-agent-3.1.1/index.js (Extension)
    -> snyk-1.434.3/dist/lib/request/request.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.

Publish Date: 2021-08-24

URL: CVE-2021-23406

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j49-mfvp-vmhm

Release Date: 2021-08-24

Fix Resolution (pac-resolver): 5.0.0

Direct dependency fix Resolution (snyk): 1.518.0

Fix Resolution (degenerator): 5.0.0

Direct dependency fix Resolution (snyk): 1.518.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-40764

Vulnerable Library - snyk-1.434.3.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.434.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/package.json

Dependency Hierarchy:

• ❌ snyk-1.434.3.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

snyk-1.434.3/dist/lib/errors/failed-to-get-vulns-from-unavailable-resource.js (Application)
  -> snyk-1.434.3/dist/lib/errors/index.js (Extension)
   -> snyk-1.434.3/dist/cli/index.js (Extension)
    -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

Publish Date: 2022-10-03

URL: CVE-2022-40764

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hpqj-7cj6-hfj8

Release Date: 2022-10-03

Fix Resolution: 1.996.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-4068

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/node_modules/braces/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • micromatch-4.0.2.tgz
    • ❌ braces-3.0.2.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

braces-3.0.2/lib/parse.js (Application)
  -> braces-3.0.2/index.js (Extension)
   -> micromatch-4.0.2/index.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2020-26301

Vulnerable Library - ssh2-0.8.9.tgz

SSH2 client and server modules written in pure JavaScript for node.js

Library home page: https://registry.npmjs.org/ssh2/-/ssh2-0.8.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssh2/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-docker-plugin-4.12.0.tgz
    • docker-modem-2.1.3.tgz
      • ❌ ssh2-0.8.9.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

ssh2-0.8.9/lib/keepalivemgr.js (Application)
  -> ssh2-0.8.9/lib/server.js (Extension)
   -> ssh2-0.8.9/lib/client.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

Publish Date: 2021-09-20

URL: CVE-2020-26301

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/

Release Date: 2021-09-20

Fix Resolution (ssh2): 1.4.0

Direct dependency fix Resolution (snyk): 1.685.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-48285

Vulnerable Libraries - jszip-3.4.0.tgz, jszip-3.5.0.tgz

jszip-3.4.0.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk-nuget-plugin/node_modules/jszip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-nuget-plugin-1.19.4.tgz
    • ❌ jszip-3.4.0.tgz (Vulnerable Library)

jszip-3.5.0.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jszip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-mvn-plugin-2.25.0.tgz
    • java-call-graph-builder-1.17.0.tgz
      • ❌ jszip-3.5.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

jszip-3.4.0/lib/index.js (Application)
  -> snyk-nuget-plugin-1.19.4/dist/nuget-parser/nuspec-parser.js (Extension)
   -> snyk-nuget-plugin-1.19.4/dist/nuget-parser/dotnet-framework-parser.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Mend Note: Converted from WS-2023-0004, on 2023-02-01.

Publish Date: 2023-01-29

URL: CVE-2022-48285

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-29

Fix Resolution (jszip): 3.8.0

Direct dependency fix Resolution (snyk): 1.685.0

Fix Resolution (jszip): 3.8.0

Direct dependency fix Resolution (snyk): 1.685.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-48795

Vulnerable Library - ssh2-0.8.9.tgz

SSH2 client and server modules written in pure JavaScript for node.js

Library home page: https://registry.npmjs.org/ssh2/-/ssh2-0.8.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssh2/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-docker-plugin-4.12.0.tgz
    • docker-modem-2.1.3.tgz
      • ❌ ssh2-0.8.9.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

ssh2-0.8.9/lib/server.js (Application)
  -> ssh2-0.8.9/lib/client.js (Extension)
   -> docker-modem-2.1.3/lib/ssh.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Publish Date: 2023-12-18

URL: CVE-2023-48795

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-48795

Release Date: 2023-12-18

Fix Resolution: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0

CVE-2022-24441

Vulnerable Library - snyk-1.434.3.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.434.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/package.json

Dependency Hierarchy:

• ❌ snyk-1.434.3.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

snyk-1.434.3/dist/lib/project-metadata/target-builders/git.js (Application)
  -> snyk-1.434.3/dist/lib/project-metadata/index.js (Extension)
   -> snyk-1.434.3/dist/lib/snyk-test/run-test.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. NOTE: This issue is independent of the one reported in "CVE-2022-40764" (https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

Publish Date: 2022-11-30

URL: CVE-2022-24441

CVSS 3 Score Details (5.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24441

Release Date: 2022-11-30

Fix Resolution: 1.1064.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-4067

Vulnerable Library - micromatch-4.0.2.tgz

Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/node_modules/micromatch/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • ❌ micromatch-4.0.2.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

micromatch-4.0.2/index.js (Application)
  -> snyk-1.434.3/dist/lib/plugins/nodejs-plugin/yarn-workspaces-parser.js (Extension)
   -> snyk-1.434.3/dist/lib/plugins/get-deps-from-plugin.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.

Publish Date: 2024-05-13

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution (micromatch): 4.0.8

Direct dependency fix Resolution (snyk): 1.685.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-0842

Vulnerable Library - xml2js-0.4.23.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml2js/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-nuget-plugin-1.19.4.tgz
    • ❌ xml2js-0.4.23.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

xml2js-0.4.23/lib/defaults.js (Application)
  -> xml2js-0.4.23/lib/xml2js.js (Extension)
   -> snyk-nuget-plugin-1.19.4/dist/nuget-parser/csproj-parser.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842

Release Date: 2023-04-05

Fix Resolution (xml2js): 0.5.0

Direct dependency fix Resolution (snyk): 1.685.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk/node_modules/semver/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

semver-6.3.0/semver.js (Application)
  -> snyk-sbt-plugin-2.11.0/dist/index.js (Extension)
   -> snyk-1.434.3/dist/lib/plugins/index.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 6.3.1

Direct dependency fix Resolution (snyk): 1.685.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-29418

Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • proxy-agent-3.1.1.tgz
    • pac-proxy-agent-3.0.1.tgz
      • pac-resolver-3.0.0.tgz
        • ❌ netmask-1.0.6.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

netmask-1.0.6/lib/netmask.js (Application)
  -> pac-resolver-3.0.0/isInNet.js (Extension)
   -> pac-resolver-3.0.0/index.js (Extension)
    -> snyk-1.434.3/dist/lib/request/request.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

Publish Date: 2021-03-30

URL: CVE-2021-29418

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://vuln.ryotak.me/advisories/6.txt

Release Date: 2021-03-30

Fix Resolution (netmask): 2.0.1

Direct dependency fix Resolution (snyk): 1.518.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23413

Vulnerable Libraries - jszip-3.4.0.tgz, jszip-3.5.0.tgz

jszip-3.4.0.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk-nuget-plugin/node_modules/jszip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-nuget-plugin-1.19.4.tgz
    • ❌ jszip-3.4.0.tgz (Vulnerable Library)

jszip-3.5.0.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jszip/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-mvn-plugin-2.25.0.tgz
    • java-call-graph-builder-1.17.0.tgz
      • ❌ jszip-3.5.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

jszip-3.4.0/lib/object.js (Application)
  -> jszip-3.4.0/lib/index.js (Extension)
   -> snyk-nuget-plugin-1.19.4/dist/nuget-parser/nuspec-parser.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.

Publish Date: 2021-07-25

URL: CVE-2021-23413

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413

Release Date: 2021-07-25

Fix Resolution (jszip): 3.7.0

Direct dependency fix Resolution (snyk): 1.667.0

Fix Resolution (jszip): 3.7.0

Direct dependency fix Resolution (snyk): 1.667.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23362

Vulnerable Libraries - hosted-git-info-2.8.8.tgz, hosted-git-info-3.0.7.tgz

hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-policy-1.14.1.tgz
    • snyk-module-2.1.0.tgz
      • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

hosted-git-info-3.0.7.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-3.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snyk-cpp-plugin/node_modules/hosted-git-info/package.json,/node_modules/snyk-module/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• snyk-1.434.3.tgz (Root Library)
  • snyk-cpp-plugin-2.2.1.tgz
    • ❌ hosted-git-info-3.0.7.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

hosted-git-info-2.8.8/index.js (Application)
  -> snyk-module-1.9.1/lib/index.js (Extension)
   -> snyk-resolve-deps-4.4.0/dist/logical.js (Extension)
    -> snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
    ...
      -> snyk-1.434.3/dist/lib/analytics.js (Extension)
       -> snyk-1.434.3/dist/cli/index.js (Extension)
        -> ❌ verdaccio-2.3.1/package.json (Vulnerable Component)

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (snyk): 1.434.4

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (snyk): 1.434.4

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.