mocha-3.4.1.tgz: 6 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - mocha-3.4.1.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.1.tgz

Path to dependency file: /start-preset-idea/package.json

Path to vulnerable library: /start-preset-idea/node_modules/mocha/package.json,/modules/node_modules/mocha/package.json,/start-preset-depcheck/node_modules/mocha/package.json,/start-modules-tasks/node_modules/mocha/package.json,/start-git/node_modules/mocha/package.json,/start-preset-prepush/node_modules/mocha/package.json,/test-utils/node_modules/mocha/package.json,/start-preset-dependencies/node_modules/mocha/package.json,/start-tasks/node_modules/mocha/package.json,/start-npm-tasks/node_modules/mocha/package.json,/start-preset-modules/node_modules/mocha/package.json,/start-reporter/node_modules/mocha/package.json

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2017-16042	High	9.8	growl-1.9.2.tgz	Transitive	4.0.0	✅
WS-2018-0590	High	7.0	diff-3.2.0.tgz	Transitive	5.0.3	✅
CVE-2020-7598	Medium	5.6	minimist-0.0.8.tgz	Transitive	6.2.3	✅
WS-2019-0425	Medium	5.3	mocha-3.4.1.tgz	Direct	6.0.0	✅
CVE-2017-16137	Medium	5.3	debug-2.6.0.tgz	Transitive	4.0.0	✅
WS-2017-0247	Low	3.4	ms-0.7.2.tgz	Transitive	3.5.0	✅

Details

CVE-2017-16042

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: /start-reporter/package.json

Path to vulnerable library: /start-reporter/node_modules/growl/package.json,/start-modules-tasks/node_modules/growl/package.json,/start-preset-idea/node_modules/growl/package.json,/start-tasks/node_modules/growl/package.json,/start-preset-dependencies/node_modules/growl/package.json,/modules/node_modules/growl/package.json,/test-utils/node_modules/growl/package.json,/start-git/node_modules/growl/package.json,/start-preset-depcheck/node_modules/growl/package.json,/start-npm-tasks/node_modules/growl/package.json,/start-preset-prepush/node_modules/growl/package.json,/start-preset-modules/node_modules/growl/package.json

Dependency Hierarchy:

• mocha-3.4.1.tgz (Root Library)
  • ❌ growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (mocha): 4.0.0

⛑️ Automatic Remediation is available for this issue

WS-2018-0590

Vulnerable Library - diff-3.2.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.2.0.tgz

Path to dependency file: /start-preset-dependencies/package.json

Path to vulnerable library: /start-preset-dependencies/node_modules/diff/package.json,/start-preset-modules/node_modules/diff/package.json,/start-reporter/node_modules/diff/package.json,/start-preset-idea/node_modules/diff/package.json,/start-tasks/node_modules/diff/package.json,/start-git/node_modules/diff/package.json,/start-modules-tasks/node_modules/diff/package.json,/start-preset-depcheck/node_modules/diff/package.json,/test-utils/node_modules/diff/package.json,/start-npm-tasks/node_modules/diff/package.json,/start-preset-prepush/node_modules/diff/package.json,/modules/node_modules/diff/package.json

Dependency Hierarchy:

• mocha-3.4.1.tgz (Root Library)
  • ❌ diff-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

⛑️ Automatic Remediation is available for this issue

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /start-npm-tasks/package.json

Path to vulnerable library: /start-npm-tasks/node_modules/mocha/node_modules/minimist/package.json,/start-modules-tasks/node_modules/mocha/node_modules/minimist/package.json,/start-preset-depcheck/node_modules/mocha/node_modules/minimist/package.json,/start-preset-dependencies/node_modules/mocha/node_modules/minimist/package.json,/start-preset-prepush/node_modules/mocha/node_modules/minimist/package.json,/start-reporter/node_modules/mocha/node_modules/minimist/package.json,/start-preset-idea/node_modules/mocha/node_modules/minimist/package.json,/modules/node_modules/mocha/node_modules/minimist/package.json,/start-tasks/node_modules/mocha/node_modules/minimist/package.json,/start-git/node_modules/mocha/node_modules/minimist/package.json,/test-utils/node_modules/mocha/node_modules/minimist/package.json,/start-preset-modules/node_modules/mocha/node_modules/minimist/package.json

Dependency Hierarchy:

• mocha-3.4.1.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (mocha): 6.2.3

⛑️ Automatic Remediation is available for this issue

WS-2019-0425

Vulnerable Library - mocha-3.4.1.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-3.4.1.tgz

Path to dependency file: /start-preset-idea/package.json

Path to vulnerable library: /start-preset-idea/node_modules/mocha/package.json,/modules/node_modules/mocha/package.json,/start-preset-depcheck/node_modules/mocha/package.json,/start-modules-tasks/node_modules/mocha/package.json,/start-git/node_modules/mocha/package.json,/start-preset-prepush/node_modules/mocha/package.json,/test-utils/node_modules/mocha/package.json,/start-preset-dependencies/node_modules/mocha/package.json,/start-tasks/node_modules/mocha/package.json,/start-npm-tasks/node_modules/mocha/package.json,/start-preset-modules/node_modules/mocha/package.json,/start-reporter/node_modules/mocha/package.json

Dependency Hierarchy:

• ❌ mocha-3.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: v6.0.0

Release Date: 2019-01-24

Fix Resolution: 6.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2017-16137

Vulnerable Library - debug-2.6.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.0.tgz

Path to dependency file: /start-preset-idea/package.json

Path to vulnerable library: /start-preset-idea/node_modules/mocha/node_modules/debug/package.json,/start-tasks/node_modules/mocha/node_modules/debug/package.json,/start-preset-prepush/node_modules/mocha/node_modules/debug/package.json,/start-modules-tasks/node_modules/mocha/node_modules/debug/package.json,/start-preset-modules/node_modules/mocha/node_modules/debug/package.json,/start-preset-dependencies/node_modules/mocha/node_modules/debug/package.json,/start-git/node_modules/mocha/node_modules/debug/package.json,/modules/node_modules/mocha/node_modules/debug/package.json,/test-utils/node_modules/mocha/node_modules/debug/package.json,/start-preset-depcheck/node_modules/mocha/node_modules/debug/package.json,/start-npm-tasks/node_modules/mocha/node_modules/debug/package.json,/start-reporter/node_modules/mocha/node_modules/debug/package.json

Dependency Hierarchy:

• mocha-3.4.1.tgz (Root Library)
  • ❌ debug-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (mocha): 4.0.0

⛑️ Automatic Remediation is available for this issue

WS-2017-0247

Vulnerable Library - ms-0.7.2.tgz

Tiny milisecond conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz

Path to dependency file: /test-utils/package.json

Path to vulnerable library: /test-utils/node_modules/mocha/node_modules/ms/package.json,/start-git/node_modules/mocha/node_modules/ms/package.json,/start-preset-prepush/node_modules/mocha/node_modules/ms/package.json,/start-modules-tasks/node_modules/mocha/node_modules/ms/package.json,/start-preset-idea/node_modules/mocha/node_modules/ms/package.json,/start-npm-tasks/node_modules/mocha/node_modules/ms/package.json,/start-reporter/node_modules/mocha/node_modules/ms/package.json,/start-preset-dependencies/node_modules/mocha/node_modules/ms/package.json,/start-preset-modules/node_modules/mocha/node_modules/ms/package.json,/start-tasks/node_modules/mocha/node_modules/ms/package.json,/start-preset-depcheck/node_modules/mocha/node_modules/ms/package.json,/modules/node_modules/mocha/node_modules/ms/package.json

Dependency Hierarchy:

• mocha-3.4.1.tgz (Root Library)
  • debug-2.6.0.tgz
    • ❌ ms-0.7.2.tgz (Vulnerable Library)

Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3

Found in base branch: master

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution (ms): 2.0.0

Direct dependency fix Resolution (mocha): 3.5.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.

[dev-mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[dev-mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[dev-mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[dev-mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.