js-2.41.0.tgz: 6 vulnerabilities (highest severity is: 7.5) #9
Description
Vulnerable Library - js-2.41.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (js version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-21505 |  High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2022-0355 | High |
7.5 | simple-get-2.8.1.tgz | Transitive | N/A* | ❌ |
| CVE-2021-3803 | High |
7.5 | nth-check-2.0.0.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23358 | High |
7.2 | underscore-1.9.1.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23337 | High |
7.2 | lodash-4.17.19.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28500 |  Medium |
5.3 | lodash-4.17.19.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21505
Vulnerable Libraries - web3-utils-1.2.11.tgz, web3-utils-1.2.2.tgz, web3-utils-1.3.6.tgz
web3-utils-1.2.11.tgz
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- ❌ web3-utils-1.2.11.tgz (Vulnerable Library)
web3-utils-1.2.2.tgz
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- synthetix-2.41.0.tgz
- ❌ web3-utils-1.2.2.tgz (Vulnerable Library)
- synthetix-2.41.0.tgz
web3-utils-1.3.6.tgz
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- synthetix-2.41.0.tgz
- abi-decoder-2.3.0.tgz
- ❌ web3-utils-1.3.6.tgz (Vulnerable Library)
- abi-decoder-2.3.0.tgz
- synthetix-2.41.0.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
CVE-2022-0355
Vulnerable Library - simple-get-2.8.1.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-2.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- web3-utils-1.2.11.tgz
- eth-lib-0.2.8.tgz
- xhr-request-promise-0.1.3.tgz
- xhr-request-1.1.0.tgz
- ❌ simple-get-2.8.1.tgz (Vulnerable Library)
- xhr-request-1.1.0.tgz
- xhr-request-promise-0.1.3.tgz
- eth-lib-0.2.8.tgz
- web3-utils-1.2.11.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
Publish Date: 2022-01-26
URL: CVE-2022-0355
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355
Release Date: 2022-01-26
Fix Resolution: simple-get - 4.0.1
CVE-2021-3803
Vulnerable Library - nth-check-2.0.0.tgz
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- synthetix-2.41.0.tgz
- pretty-error-2.1.2.tgz
- renderkid-2.0.7.tgz
- css-select-4.1.3.tgz
- ❌ nth-check-2.0.0.tgz (Vulnerable Library)
- css-select-4.1.3.tgz
- renderkid-2.0.7.tgz
- pretty-error-2.1.2.tgz
- synthetix-2.41.0.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
CVE-2021-23358
Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- web3-utils-1.2.11.tgz
- ❌ underscore-1.9.1.tgz (Vulnerable Library)
- web3-utils-1.2.11.tgz
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
CVE-2021-23337
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- ❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21
CVE-2020-28500
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- js-2.41.0.tgz (Root Library)
- ❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21