Skip to content

synthetix-js-2.66.2.tgz: 21 vulnerabilities (highest severity is: 9.8) #5

Open
@mend-for-github-com

Description

Vulnerable Library - synthetix-js-2.66.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (synthetix-js version) Remediation Possible**
CVE-2021-44906 Critical 9.8 minimist-1.2.5.tgz Transitive 2.68.2
CVE-2023-45133 High 8.8 detected in multiple dependencies Transitive 2.68.2
CVE-2022-46175 High 8.8 json5-0.5.1.tgz Transitive N/A*
CVE-2021-43138 High 7.8 async-2.6.3.tgz Transitive 2.68.2
CVE-2020-13822 High 7.7 elliptic-6.5.2.tgz Transitive N/A*
CVE-2022-38900 High 7.5 decode-uri-component-0.2.0.tgz Transitive 2.68.2
CVE-2022-25901 High 7.5 cookiejar-2.1.2.tgz Transitive 2.68.2
CVE-2022-25883 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2021-3807 High 7.5 detected in multiple dependencies Transitive 2.68.2
CVE-2020-8203 High 7.4 lodash-4.17.15.tgz Transitive N/A*
CVE-2021-23337 High 7.2 lodash-4.17.15.tgz Transitive N/A*
CVE-2020-28498 Medium 6.8 elliptic-6.5.2.tgz Transitive N/A*
CVE-2023-45857 Medium 6.5 axios-0.18.1.tgz Transitive N/A*
CVE-2022-1365 Medium 6.5 cross-fetch-2.2.3.tgz Transitive 2.68.2
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*
CVE-2022-0235 Medium 6.1 detected in multiple dependencies Transitive N/A*
WS-2019-0424 Medium 5.9 elliptic-6.5.2.tgz Transitive N/A*
CVE-2020-28168 Medium 5.9 axios-0.18.1.tgz Transitive N/A*
CVE-2021-32640 Medium 5.3 ws-7.3.0.tgz Transitive 2.68.2
CVE-2020-28500 Medium 5.3 lodash-4.17.15.tgz Transitive N/A*
CVE-2020-15168 Medium 5.3 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • eth-json-rpc-middleware-1.6.0.tgz
            • tape-4.13.3.tgz
              • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45133

Vulnerable Libraries - traverse-7.14.5.tgz, babel-traverse-6.26.0.tgz

traverse-7.14.5.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.14.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • eth-block-tracker-4.4.3.tgz
          • plugin-transform-runtime-7.14.5.tgz
            • babel-plugin-polyfill-corejs3-0.2.2.tgz
              • helper-define-polyfill-provider-0.2.3.tgz
                • traverse-7.14.5.tgz (Vulnerable Library)

babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • json-rpc-engine-3.8.0.tgz
            • babel-preset-env-1.7.0.tgz
              • babel-plugin-transform-es2015-block-scoping-6.26.0.tgz
                • babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (synthetix-js): 2.68.2

Fix Resolution (babel-traverse): 7.23.2

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-46175

Vulnerable Library - json5-0.5.1.tgz

JSON for the ES5 era.

Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • json-rpc-engine-3.8.0.tgz
            • babelify-7.3.0.tgz
              • babel-core-6.26.3.tgz
                • json5-0.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution: json5 - 2.2.2

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-13822

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • ethers-4.0.44.tgz
      • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution: v6.5.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • utils-1.4.1.tgz
        • query-string-6.13.5.tgz
          • decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25901

Vulnerable Library - cookiejar-2.1.2.tgz

simple persistent cookiejar system

Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • http-connection-1.4.1.tgz
        • xhr2-cookies-1.1.0.tgz
          • cookiejar-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Publish Date: 2023-01-18

URL: CVE-2022-25901

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-18

Fix Resolution (cookiejar): 2.1.4

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Libraries - semver-5.4.1.tgz, semver-6.3.0.tgz, semver-7.0.0.tgz, semver-5.7.1.tgz

semver-5.4.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • ethereumjs-block-1.7.1.tgz
          • merkle-patricia-tree-2.3.2.tgz
            • levelup-1.3.9.tgz
              • semver-5.4.1.tgz (Vulnerable Library)

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • eth-block-tracker-4.4.3.tgz
          • plugin-transform-runtime-7.14.5.tgz
            • babel-plugin-polyfill-corejs2-0.2.2.tgz
              • semver-6.3.0.tgz (Vulnerable Library)

semver-7.0.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • eth-block-tracker-4.4.3.tgz
          • plugin-transform-runtime-7.14.5.tgz
            • babel-plugin-polyfill-corejs3-0.2.2.tgz
              • core-js-compat-3.14.0.tgz
                • semver-7.0.0.tgz (Vulnerable Library)

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • json-rpc-engine-3.8.0.tgz
            • babel-preset-env-1.7.0.tgz
              • semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • synthetix-2.66.2.tgz
      • inquirer-6.5.2.tgz
        • strip-ansi-5.2.0.tgz
          • ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • synthetix-2.66.2.tgz
      • inquirer-6.5.2.tgz
        • string-width-2.1.1.tgz
          • strip-ansi-4.0.0.tgz
            • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (synthetix-js): 2.68.2

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

CVE-2020-28498

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • ethers-4.0.44.tgz
      • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: elliptic - 6.5.4

CVE-2023-45857

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • pocket-js-core-0.0.3.tgz
        • axios-0.18.1.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: axios - 1.6.0

CVE-2022-1365

Vulnerable Library - cross-fetch-2.2.3.tgz

Universal WHATWG Fetch API for Node, Browsers and React Native

Library home page: https://registry.npmjs.org/cross-fetch/-/cross-fetch-2.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • cross-fetch-2.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

Publish Date: 2022-04-15

URL: CVE-2022-1365

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1365

Release Date: 2022-04-15

Fix Resolution (cross-fetch): 2.2.6

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2022-0235

Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.1.2.tgz

node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • eth-json-rpc-middleware-1.6.0.tgz
            • fetch-ponyfill-4.1.0.tgz
              • node-fetch-1.7.3.tgz (Vulnerable Library)

node-fetch-2.1.2.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • cross-fetch-2.2.3.tgz
          • node-fetch-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

WS-2019-0424

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • ethers-4.0.44.tgz
      • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424

Release Date: 2019-11-13

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;Romano.Vue - 1.0.1;org.webjars.npm:elliptic - 6.5.4,6.3.3;VueJS.NetCore - 1.1.1;elliptic - 6.5.3;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6

CVE-2020-28168

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • pocket-js-core-0.0.3.tgz
        • axios-0.18.1.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

CVE-2021-32640

Vulnerable Library - ws-7.3.0.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • client-1.4.1.tgz
        • core-1.4.1.tgz
          • socket-transport-1.4.1.tgz
            • ws-7.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (synthetix-js): 2.68.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

CVE-2020-15168

Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.1.2.tgz

node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-2.0.0-beta.59.tgz
      • web3-provider-engine-1.1.2.tgz
        • eth-json-rpc-infura-3.2.1.tgz
          • eth-json-rpc-middleware-1.6.0.tgz
            • fetch-ponyfill-4.1.0.tgz
              • node-fetch-1.7.3.tgz (Vulnerable Library)

node-fetch-2.1.2.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • synthetix-js-2.66.2.tgz (Root Library)
    • web3-provider-1.4.1.tgz
      • web3-provider-engine-16.0.1.tgz
        • cross-fetch-2.2.3.tgz
          • node-fetch-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 1c0d84239bf264be45e76103ca820dd997ae476f

Found in base branch: master

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions