mkdirp-0.5.5.tgz: 1 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com]

Vulnerable Library - mkdirp-0.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json,/node_modules/snyk/node_modules/minimist/package.json

Found in HEAD commit: 50c76be11a552f9cbdcbe486f7f3ab2075f63251

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mkdirp version)	Remediation Possible**	Reachability
CVE-2021-44906	Critical	9.8	minimist-1.2.5.tgz	Transitive	0.5.6	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json,/node_modules/snyk/node_modules/minimist/package.json

Dependency Hierarchy:

• mkdirp-0.5.5.tgz (Root Library)
  • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 50c76be11a552f9cbdcbe486f7f3ab2075f63251

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

verdaccio-2.3.1/package.json (Application)
  -> snyk-1.434.3/dist/cli/index.js (Extension)
   -> snyk-1.434.3/dist/lib/analytics.js (Extension)
    -> snyk-1.434.3/dist/lib/config.js (Extension)
    ...
      -> snyk-config-4.0.0/dist/nconf/nconf.js (Extension)
       -> snyk-config-4.0.0/dist/nconf/nconf/stores/argv.js (Extension)
        -> ❌ minimist-1.2.5/index.js (Vulnerable Component)

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (mkdirp): 0.5.6

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.