nexmo-community / health-coaching-app Goto Github PK

Health journaling app with video coaching functionality. Built with Preact.js CLI (Netlify CMS template) and OpenTok.

Home Page: https://practical-bell-c77b62.netlify.com/

JavaScript 67.28% CSS 24.53% HTML 8.18%

health-coaching-app's Introduction

How to Add Video Chat to Your Preact PWA using OpenTok

Is becoming healthier one of your New Year's resolutions? This application will help you to track your progress by enabling you to blog about daily activity, diet, energy levels, mood and more using Netlify CMS powered by Preact CLI. Share your app with any professionals you work with (personal trainer, nutritionist, therapist) and receive live video coaching directly from the platform with OpenTok.

Build Instructions

Important: Node.js > V6.x is a minimum requirement.

# install Preact CLI globally from NPM
npm i -g preact-cli

# install dependencies
npm install

# serve with hot reload at localhost:8080
npm run dev

# build for production with minification
npm run build

# run tests with jest and preact-render-spy
npm run test

For a detailed explanation on Preact CLI works, checkout the Readme.

How to setup Netlify CMS

Deploy on Netlify using the CLI or the Netlify bot for github.
Enable Git gateway https://docs.netlify.com/visitor-access/git-gateway/.
Enable Identity for your app https://docs.netlify.com/visitor-access/identity/.
For most Blogs, change (Identity > Settings > Registration preferences) to invite only.
Invite yourself to the Identity tab in Netlify console.
Accept the invite from your email inbox.
Done!

Note: Go to https://<your-domain>/admin in order to access Netlify CMS.

Code of Conduct

In the interest of fostering an open and welcoming environment, we strive to make participation in our project and our community a harassment-free experience for everyone. Please check out our Code of Conduct in full.

Contributing

We ❤️ contributions from everyone! Check out the Contributing Guidelines for more information.

License

This project is subject to the MIT License

health-coaching-app's People

Stargazers

Watchers

health-coaching-app's Issues

Screen Sharing fallback

Description

When you stop sharing screen from the window "Stop sharing" button. The sharing checkbox is still checked and the screen do no fallback to previous screen it was before sharing.

Steps to replicate

Visit https://practical-bell-c77b62.netlify.app
Click on "Let's chat!"
check "Share Screen"
click ""Stop sharing" at the bottom of the screen

Expectations

when a user click on "Stop sharing" The screen should fallback to previous screen it was before sharing.

Experience in

Mac book pro and Opera browser

Severity

Medium

markdown-to-jsx-6.10.3.tgz: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - markdown-to-jsx-6.10.3.tgz

Convert markdown to JSX with ease for React and React-like projects. Super lightweight and highly configurable.

Library home page: https://registry.npmjs.org/markdown-to-jsx/-/markdown-to-jsx-6.10.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/markdown-to-jsx/package.json

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (markdown-to-jsx version)	Remediation Possible**
WS-2020-0103	Medium	6.5	markdown-to-jsx-6.10.3.tgz	Direct	6.11.4	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2020-0103

Vulnerable Library - markdown-to-jsx-6.10.3.tgz

Convert markdown to JSX with ease for React and React-like projects. Super lightweight and highly configurable.

Library home page: https://registry.npmjs.org/markdown-to-jsx/-/markdown-to-jsx-6.10.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/markdown-to-jsx/package.json

Dependency Hierarchy:

❌ markdown-to-jsx-6.10.3.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Versions of markdown-to-jsx prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Publish Date: 2020-05-20

URL: WS-2020-0103

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-05-20

Fix Resolution: 6.11.4

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

imagemin-mozjpeg-8.0.0.tgz: 13 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - imagemin-mozjpeg-8.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (imagemin-mozjpeg version)	Remediation Possible**
CVE-2021-44906	Critical	9.8	minimist-1.2.0.tgz	Transitive	9.0.0	✅
CVE-2020-7788	Critical	9.8	ini-1.3.5.tgz	Transitive	9.0.0	✅
CVE-2020-12265	Critical	9.8	detected in multiple dependencies	Transitive	N/A*	❌
WS-2020-0044	High	7.5	decompress-4.2.0.tgz	Transitive	9.0.0	✅
CVE-2022-25881	High	7.5	http-cache-semantics-3.8.1.tgz	Transitive	N/A*	❌
CVE-2021-43307	High	7.5	semver-regex-2.0.0.tgz	Transitive	N/A*	❌
CVE-2021-3795	High	7.5	semver-regex-2.0.0.tgz	Transitive	N/A*	❌
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	9.0.0	✅
CVE-2021-23343	High	7.5	path-parse-1.0.6.tgz	Transitive	9.0.0	✅
CVE-2020-8244	Medium	6.5	bl-1.2.2.tgz	Transitive	9.0.0	✅
CVE-2020-7598	Medium	5.6	minimist-1.2.0.tgz	Transitive	9.0.0	✅
CVE-2022-33987	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.8.5.tgz	Transitive	9.0.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - logalot-2.1.0.tgz
    - squeak-1.3.0.tgz
      - lpad-align-1.1.2.tgz
        
        meow-3.7.0.tgz
        
        ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-build-3.0.0.tgz
    - download-6.2.5.tgz
      - caw-2.0.1.tgz
        
        get-proxy-2.1.0.tgz
        
        npm-conf-1.1.3.tgz
        
        config-chain-1.1.12.tgz
        
        ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-12265

Vulnerable Libraries - decompress-tar-4.1.1.tgz, decompress-4.2.0.tgz

decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress-tar/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-build-3.0.0.tgz
    - decompress-4.2.0.tgz
      - ❌ decompress-tar-4.1.1.tgz (Vulnerable Library)

decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - download-7.1.0.tgz
      - ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: decompress - 4.2.1, decompress-tar - No fix version available

WS-2020-0044

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - download-7.1.0.tgz
      - ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-08

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25881

Vulnerable Library - http-cache-semantics-3.8.1.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - download-7.1.0.tgz
      - got-8.3.2.tgz
        
        cacheable-request-2.1.4.tgz
        
        ❌ http-cache-semantics-3.8.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

CVE-2021-43307

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - bin-version-check-4.0.0.tgz
      - bin-version-3.1.0.tgz
        
        find-versions-3.2.0.tgz
        
        ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution: semver-regex - 3.1.4,4.0.3

CVE-2021-3795

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - bin-version-check-4.0.0.tgz
      - bin-version-3.1.0.tgz
        
        find-versions-3.2.0.tgz
        
        ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution: semver-regex - 3.1.3,4.0.1

CVE-2021-33623

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - logalot-2.1.0.tgz
    - squeak-1.3.0.tgz
      - lpad-align-1.1.2.tgz
        
        meow-3.7.0.tgz
        
        ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - logalot-2.1.0.tgz
    - squeak-1.3.0.tgz
      - lpad-align-1.1.2.tgz
        
        meow-3.7.0.tgz
        
        normalize-package-data-2.5.0.tgz
        
        resolve-1.14.1.tgz
        
        ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8244

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-build-3.0.0.tgz
    - decompress-4.2.0.tgz
      - decompress-tar-4.1.1.tgz
        
        tar-stream-1.6.2.tgz
        
        ❌ bl-1.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7598

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - logalot-2.1.0.tgz
    - squeak-1.3.0.tgz
      - lpad-align-1.1.2.tgz
        
        meow-3.7.0.tgz
        
        ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-33987

Vulnerable Libraries - got-8.3.2.tgz, got-7.1.0.tgz

got-8.3.2.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-wrapper-4.1.0.tgz
    - download-7.1.0.tgz
      - ❌ got-8.3.2.tgz (Vulnerable Library)

got-7.1.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-7.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - bin-build-3.0.0.tgz
    - download-6.2.5.tgz
      - ❌ got-7.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

CVE-2021-23362

Vulnerable Library - hosted-git-info-2.8.5.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

imagemin-mozjpeg-8.0.0.tgz (Root Library)
- mozjpeg-6.0.1.tgz
  - logalot-2.1.0.tgz
    - squeak-1.3.0.tgz
      - lpad-align-1.1.2.tgz
        
        meow-3.7.0.tgz
        
        normalize-package-data-2.5.0.tgz
        
        ❌ hosted-git-info-2.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (imagemin-mozjpeg): 9.0.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

imagemin-webpack-plugin-2.4.2.tgz: 11 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - imagemin-webpack-plugin-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (imagemin-webpack-plugin version)	Remediation Possible**
CVE-2021-44906	Critical	9.8	minimist-0.0.8.tgz	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	braces-2.3.2.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A*	❌
CVE-2021-29059	High	7.5	is-svg-3.0.0.tgz	Transitive	N/A*	❌
CVE-2021-28092	High	7.5	is-svg-3.0.0.tgz	Transitive	N/A*	❌
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	N/A*	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	minimist-0.0.8.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	micromatch-3.1.10.tgz	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-6.1.0.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - micromatch-3.1.10.tgz
        
        ❌ braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-6.1.0.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - micromatch-3.1.10.tgz
        
        snapdragon-0.8.2.tgz
        
        source-map-resolve-0.5.3.tgz
        
        ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution: decode-uri-component - 0.2.1

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-svgo-7.0.0.tgz
  - svgo-1.3.2.tgz
    - css-select-2.1.0.tgz
      - ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2021-29059

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-svgo-7.0.0.tgz
  - ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-21

Fix Resolution: is-svg - 4.3.0

CVE-2021-28092

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-svgo-7.0.0.tgz
  - ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-6.1.0.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-data-descriptor/node_modules/kind-of/package.json,/node_modules/kind-of/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-6.1.0.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - micromatch-3.1.10.tgz
        
        ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2024-08-04

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-12-30

Fix Resolution: kind-of - 6.0.3

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- mkdirp-0.5.1.tgz
  - ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

CVE-2024-4067

Vulnerable Library - micromatch-3.1.10.tgz

Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json

Dependency Hierarchy:

imagemin-webpack-plugin-2.4.2.tgz (Root Library)
- imagemin-6.1.0.tgz
  - globby-8.0.2.tgz
    - fast-glob-2.2.7.tgz
      - ❌ micromatch-3.1.10.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: micromatch - 4.0.6

opentok-2.14.3.tgz: 11 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - opentok-2.14.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (opentok version)	Remediation Possible**
CVE-2023-26136	Critical	9.8	tough-cookie-2.5.0.tgz	Transitive	2.17.0	✅
CVE-2021-3918	Critical	9.8	json-schema-0.2.3.tgz	Transitive	2.15.0	✅
CVE-2022-23539	High	8.1	jsonwebtoken-8.5.1.tgz	Transitive	2.15.2	✅
CVE-2022-23540	High	7.6	jsonwebtoken-8.5.1.tgz	Transitive	2.15.2	✅
CVE-2022-25883	High	7.5	semver-5.7.1.tgz	Transitive	2.15.0	✅
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	2.15.0	✅
CVE-2020-8203	High	7.4	lodash-4.17.15.tgz	Transitive	2.15.0	✅
CVE-2021-23337	High	7.2	lodash-4.17.15.tgz	Transitive	2.15.0	✅
CVE-2022-23541	Medium	6.3	jsonwebtoken-8.5.1.tgz	Transitive	2.15.2	✅
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2020-28500	Medium	5.3	lodash-4.17.15.tgz	Transitive	2.15.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/node_modules/tough-cookie/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- request-2.88.2.tgz
  - ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (opentok): 2.17.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- request-2.88.2.tgz
  - http-signature-1.2.0.tgz
    - jsprim-1.4.1.tgz
      - ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- jsonwebtoken-8.5.1.tgz
  - ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2024-08-01

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- request-2.88.2.tgz
  - ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/opentok/node_modules/request/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

opentok-2.14.3.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.