Description
Vulnerable Library - eslint-4.1.0.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (eslint version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| WS-2020-0344 |  Critical |
9.8 | is-my-json-valid-2.19.0.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2020-0345 |  High |
8.2 | jsonpointer-4.0.1.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2019-0063 | High |
8.1 | js-yaml-3.12.1.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2020-0342 | High |
7.5 | is-my-json-valid-2.19.0.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2020-0042 | High |
7.5 | acorn-5.7.3.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2019-0032 | High |
7.5 | js-yaml-3.12.1.tgz | Transitive | 4.1.1 | ❌ | |
| CVE-2021-23807 |  Medium |
5.6 | jsonpointer-4.0.1.tgz | Transitive | 4.1.1 | ❌ | |
| CVE-2020-15366 | Medium |
5.6 | ajv-6.7.0.tgz | Transitive | 4.1.1 | ❌ | |
| WS-2018-0347 | Medium |
5.3 | eslint-4.1.0.tgz | Direct | 4.18.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2020-0344
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- ❌ is-my-json-valid-2.19.0.tgz (Vulnerable Library)
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (eslint): 4.1.1
WS-2020-0345
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- is-my-json-valid-2.19.0.tgz
- ❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
- is-my-json-valid-2.19.0.tgz
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (eslint): 4.1.1
WS-2019-0063
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- ❌ js-yaml-3.12.1.tgz (Vulnerable Library)
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (eslint): 4.1.1
WS-2020-0342
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- ❌ is-my-json-valid-2.19.0.tgz (Vulnerable Library)
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (eslint): 4.1.1
WS-2020-0042
Vulnerable Library - acorn-5.7.3.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- espree-3.5.4.tgz
- ❌ acorn-5.7.3.tgz (Vulnerable Library)
- espree-3.5.4.tgz
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (eslint): 4.1.1
WS-2019-0032
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- ❌ js-yaml-3.12.1.tgz (Vulnerable Library)
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (eslint): 4.1.1
CVE-2021-23807
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- is-my-json-valid-2.19.0.tgz
- ❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
- is-my-json-valid-2.19.0.tgz
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (eslint): 4.1.1
CVE-2020-15366
Vulnerable Library - ajv-6.7.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.7.0.tgz
Dependency Hierarchy:
- eslint-4.1.0.tgz (Root Library)
- table-4.0.3.tgz
- ❌ ajv-6.7.0.tgz (Vulnerable Library)
- table-4.0.3.tgz
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 4.1.1
WS-2018-0347
Vulnerable Library - eslint-4.1.0.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Dependency Hierarchy:
- ❌ eslint-4.1.0.tgz (Vulnerable Library)
Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d
Found in base branch: main
Vulnerability Details
A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.
Publish Date: 2018-02-27
URL: WS-2018-0347
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2018-02-27
Fix Resolution: 4.18.2