AID icon indicating copy to clipboard operation
AID copied to clipboard

Published 20 hours ago verified publisher icon autoai-org

vuetify-loader-1.6.0.tgz: 2 vulnerabilities (highest severity is: 9.8)

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - vuetify-loader-1.6.0.tgz

Path to dependency file: /components/dashboard/node_modules/vuetify-loader/package.json

Path to vulnerable library: /components/dashboard/node_modules/loader-utils/package.json,/docs/node_modules/cache-loader/node_modules/loader-utils/package.json,/components/discovery/yarn.lock

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-37601 High 9.8 loader-utils-1.4.0.tgz Transitive 1.7.0
CVE-2022-37599 Medium 5.5 loader-utils-1.4.0.tgz Transitive N/A

Details

CVE-2022-37601

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /components/dashboard/node_modules/loader-utils/package.json

Path to vulnerable library: /components/dashboard/node_modules/loader-utils/package.json,/docs/node_modules/cache-loader/node_modules/loader-utils/package.json,/components/discovery/yarn.lock

Dependency Hierarchy:

  • vuetify-loader-1.6.0.tgz (Root Library)
    • :x: loader-utils-1.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.0

Direct dependency fix Resolution (vuetify-loader): 1.7.0

Step up your Open Source Security Game with Mend here

CVE-2022-37599

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /components/dashboard/node_modules/loader-utils/package.json

Path to vulnerable library: /components/dashboard/node_modules/loader-utils/package.json,/docs/node_modules/cache-loader/node_modules/loader-utils/package.json,/components/discovery/yarn.lock

Dependency Hierarchy:

  • vuetify-loader-1.6.0.tgz (Root Library)
    • :x: loader-utils-1.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Oct 13 '22 01:10 mend-bolt-for-github[bot]