node-sass-4.9.3.tgz: 29 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github.zerozr99.workers.dev]

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (node-sass version)	Remediation Possible**	Reachability
CVE-2021-44906	Critical	9.8	minimist-1.2.0.tgz	Transitive	4.9.4	❌
CVE-2018-11499	Critical	9.8	node-sass-4.9.3.tgz	Direct	4.14.0	✅
CVE-2019-10744	Critical	9.1	lodash.mergewith-4.6.1.tgz	Transitive	4.9.4	✅
CVE-2018-19827	High	8.8	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-11694	High	8.8	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-11693	High	8.1	node-sass-4.9.3.tgz	Direct	4.11.0	✅
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.5.1.tgz	Transitive	4.9.4	✅
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	6.0.1	✅
CVE-2019-13173	High	7.5	fstream-1.0.11.tgz	Transitive	4.9.4	✅
CVE-2018-20834	High	7.5	tar-2.2.1.tgz	Transitive	4.9.4	✅
WS-2019-0180	High	7.3	lodash.mergewith-4.6.1.tgz	Transitive	4.9.4	✅
CVE-2020-7774	High	7.3	y18n-3.2.1.tgz	Transitive	4.9.4	✅
CVE-2019-6284	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2019-6283	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2019-18797	Medium	6.5	node-sass-4.9.3.tgz	Direct	4.14.0	✅
CVE-2018-20822	Medium	6.5	node-sass-4.9.3.tgz	Direct	4.13.1	✅
CVE-2018-20821	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-20190	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-19839	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-19838	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-19837	Medium	6.5	node-sass-4.9.3.tgz	Direct	4.14.0	✅
CVE-2018-19797	Medium	6.5	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2023-28155	Medium	6.1	request-2.87.0.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	minimist-1.2.0.tgz	Transitive	4.9.4	❌
CVE-2020-15366	Medium	5.6	ajv-5.5.2.tgz	Transitive	4.9.4	✅
CVE-2020-7608	Medium	5.3	yargs-parser-5.0.0.tgz	Transitive	4.9.4	✅
CVE-2018-11698	Medium	4.8	node-sass-4.9.3.tgz	Direct	5.0.0	✅
CVE-2018-11697	Medium	4.8	node-sass-4.9.3.tgz	Direct	4.14.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • meow-3.7.0.tgz
    • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (node-sass): 4.9.4

CVE-2018-11499

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution: 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10744

Vulnerable Library - lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • ❌ lodash.mergewith-4.6.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-25

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.mergewith): 4.6.2

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-19827

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11694

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694

Release Date: 2018-06-04

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11693

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.11.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json,/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • true-case-path-1.0.2.tgz
    • glob-6.0.4.tgz
      • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-24999

Vulnerable Library - qs-6.5.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • request-2.87.0.tgz
    • ❌ qs-6.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-33623

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • meow-3.7.0.tgz
    • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (node-sass): 6.0.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-13173

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fstream/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution (fstream): 1.0.12

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-20834

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0180

Vulnerable Library - lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • ❌ lodash.mergewith-4.6.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

lodash.mergewith before 4.6.2 is vulnerable to prototype pollution. The function mergeWith() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0180

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1071

Release Date: 2019-08-14

Fix Resolution (lodash.mergewith): 4.6.2

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • sass-graph-2.2.4.tgz
    • yargs-7.1.0.tgz
      • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-6284

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2020-08-24

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-6283

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2020-08-24

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-18797

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-20822

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: 4.13.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-20821

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821

Release Date: 2019-04-23

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-20190

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-17

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-19839

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839

Release Date: 2018-12-04

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-19838

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-19837

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

Publish Date: 2018-12-04

URL: CVE-2018-19837

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-19797

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797

Release Date: 2018-12-03

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28155

Vulnerable Library - request-2.87.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.87.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • ❌ request-2.87.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-7598

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • meow-3.7.0.tgz
    • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (node-sass): 4.9.4

CVE-2020-15366

Vulnerable Library - ajv-5.5.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/har-validator/node_modules/ajv/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • request-2.87.0.tgz
    • har-validator-5.0.3.tgz
      • ❌ ajv-5.5.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7608

Vulnerable Library - yargs-parser-5.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yargs-parser/package.json

Dependency Hierarchy:

• node-sass-4.9.3.tgz (Root Library)
  • sass-graph-2.2.4.tgz
    • yargs-7.1.0.tgz
      • ❌ yargs-parser-5.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 5.0.1

Direct dependency fix Resolution (node-sass): 4.9.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11698

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11697

Vulnerable Library - node-sass-4.9.3.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.9.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.9.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697

Release Date: 2018-06-04

Fix Resolution: 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.