mini-css-extract-plugin-0.4.2.tgz: 4 vulnerabilities (highest severity is: 9.3) [master]Β #136
Description
π Vulnerable Library - mini-css-extract-plugin-0.4.2.tgz
extracts CSS into separate files
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mini-css-extract-plugin/package.json
Findings
| Finding | Severity | π― CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-37601 | π£ Critical | 9.3 | Not Defined | 24.6% | loader-utils-1.1.0.tgz | Transitive | N/A | β | |
| CVE-2022-37599 | π΄ High | 8.7 | Not Defined | 7.1000004% | loader-utils-1.1.0.tgz | Transitive | N/A | β | |
| CVE-2022-37603 | π΄ High | 8.7 | Not Defined | 1.7% | loader-utils-1.1.0.tgz | Transitive | N/A | β | |
| CVE-2020-15366 | π Medium | 6.3 | Not Defined | < 1% | ajv-6.5.2.tgz | Transitive | N/A | β |
Details
π£CVE-2022-37601
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
-
webpack-4.17.1.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
babel-loader-7.1.5.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
postcss-loader-3.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
webpack-cli-3.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-0.4.2.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
sass-loader-7.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
css-loader-1.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity:Not Defined
EPSS:24.6%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.3,loader-utils - 1.4.1
π΄CVE-2022-37599
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
-
webpack-4.17.1.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
babel-loader-7.1.5.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
postcss-loader-3.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
webpack-cli-3.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-0.4.2.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
sass-loader-7.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
css-loader-1.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: Oct 11, 2022 12:00 AM
URL: CVE-2022-37599
Threat Assessment
Exploit Maturity:Not Defined
EPSS:7.1000004%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: Oct 11, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.4,loader-utils - 3.2.1,loader-utils - 1.4.2,https://github.com/webpack/loader-utils.git - no_fix
π΄CVE-2022-37603
Vulnerable Library - loader-utils-1.1.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
-
webpack-4.17.1.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
babel-loader-7.1.5.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
postcss-loader-3.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
webpack-cli-3.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-0.4.2.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
sass-loader-7.1.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
-
css-loader-1.0.0.tgz (Root Library)
- β loader-utils-1.1.0.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: Oct 14, 2022 12:00 AM
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: Oct 14, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,loader-utils - 3.2.1,loader-utils - 2.0.4
π CVE-2020-15366
Vulnerable Library - ajv-6.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
-
webpack-4.17.1.tgz (Root Library)
- β ajv-6.5.2.tgz (Vulnerable Library)
-
postcss-loader-3.0.0.tgz (Root Library)
- schema-utils-1.0.0.tgz
- β ajv-6.5.2.tgz (Vulnerable Library)
- schema-utils-1.0.0.tgz
-
eslint-5.4.0.tgz (Root Library)
- table-4.0.3.tgz
- β ajv-6.5.2.tgz (Vulnerable Library)
- table-4.0.3.tgz
-
mini-css-extract-plugin-0.4.2.tgz (Root Library)
- schema-utils-1.0.0.tgz
- β ajv-6.5.2.tgz (Vulnerable Library)
- schema-utils-1.0.0.tgz
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: Jul 15, 2020 07:14 PM
URL: CVE-2020-15366
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v88g-cgmw-v5xw
Release Date: Jul 15, 2020 07:14 PM
Fix Resolution : ajv - 6.12.3