puppeteer-20.9.0.tgz: 1 vulnerabilities (highest severity is: 9.8) unreachable

[mend-for-github-com[bot]]

trafficstars

Vulnerable Library - puppeteer-20.9.0.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (puppeteer version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	ip-1.1.8.tgz	Transitive	21.0.0	❌	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-1.1.8.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz

Dependency Hierarchy:

• puppeteer-20.9.0.tgz (Root Library)
  • browsers-1.4.6.tgz
    • proxy-agent-6.3.0.tgz
      • pac-proxy-agent-7.0.0.tgz
        • pac-resolver-7.0.0.tgz
          • :x: ip-1.1.8.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (puppeteer): 21.0.0