vonage-node-code-snippets icon indicating copy to clipboard operation
vonage-node-code-snippets copied to clipboard

Published 20 hours ago verified publisher icon Vonage

ejs-3.1.9.tgz: 2 vulnerabilities (highest severity is: 8.8) reachable

Open mend-for-github-com[bot] opened this issue 1 year ago • 0 comments

Vulnerable Library - ejs-3.1.9.tgz

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (ejs version) Remediation Possible** Reachability
CVE-2024-33883 High 8.8 Not Defined 0.0% ejs-3.1.9.tgz Direct ejs - 3.1.10

Reachable
CVE-2024-39249 Medium 6.5 Not Defined 0.0% async-3.2.4.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-33883

Vulnerable Library - ejs-3.1.9.tgz

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

  • :x: ejs-3.1.9.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

vonage-node-code-snippets-0.1.0/verify/2fa.js (Application)
  -> ❌ ejs-3.1.9/lib/ejs.js (Vulnerable Component)

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Publish Date: 2024-04-28

URL: CVE-2024-33883

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883

Release Date: 2024-04-28

Fix Resolution: ejs - 3.1.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-39249

Vulnerable Library - async-3.2.4.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-3.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • ejs-3.1.9.tgz (Root Library)
    • jake-10.8.7.tgz
      • :x: async-3.2.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar May 12 '24 20:05 mend-for-github-com[bot]