opentok-rtc icon indicating copy to clipboard operation
opentok-rtc copied to clipboard

Published 20 hours ago verified publisher icon opentok

grunt-contrib-compress-1.6.0.tgz: 1 vulnerabilities (highest severity is: 8.8)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - grunt-contrib-compress-1.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (grunt-contrib-compress version) Remediation Possible** Reachability
CVE-2022-0355 High 8.8 Not Defined 0.2% simple-get-3.1.0.tgz Transitive 2.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-0355

Vulnerable Library - simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Dependency Hierarchy:

  • grunt-contrib-compress-1.6.0.tgz (Root Library)
    • iltorb-2.4.5.tgz
      • prebuild-install-5.3.6.tgz
        • :x: simple-get-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution (simple-get): 3.1.1

Direct dependency fix Resolution (grunt-contrib-compress): 2.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Jun 06 '22 09:06 mend-for-github-com[bot]