FireShort CVE-2021-35065 (High) detected in glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz

CVE-2021-35065 (High) detected in glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 0 comments

Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz

glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

react-scripts-3.4.3.tgz (Root Library)
- react-dev-utils-10.2.1.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - :x: glob-parent-3.1.0.tgz (Vulnerable Library)

glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

react-scripts-3.4.3.tgz (Root Library)
- eslint-6.8.0.tgz
  - :x: glob-parent-5.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High