gatsby-2.14.0.tgz: 122 vulnerabilities (highest severity is: 10.0)

[mend-for-github-com]

Vulnerable Library - gatsby-2.14.0.tgz

Blazing fast modern site generator for React

Library home page: https://registry.npmjs.org/gatsby/-/gatsby-2.14.0.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (gatsby version)	Remediation Possible**	Reachability
CVE-2022-2421	Critical	10.0	Not Defined	0.2%	socket.io-parser-3.3.0.tgz	Transitive	2.14.1	✅
MSC-2023-16609	Critical	9.8	High		fsevents-1.2.9.tgz	Transitive	N/A*	❌
CVE-2023-45311	Critical	9.8	Not Defined	0.5%	fsevents-1.2.9.tgz	Transitive	2.14.1	✅
CVE-2023-42282	Critical	9.8	Not Defined	0.1%	ip-1.1.5.tgz	Transitive	2.14.1	✅
CVE-2022-37601	Critical	9.8	Not Defined	1.0%	loader-utils-1.2.3.tgz	Transitive	2.14.1	✅
CVE-2022-2216	Critical	9.8	Not Defined	0.2%	parse-url-5.0.1.tgz	Transitive	2.14.1	✅
CVE-2022-0691	Critical	9.8	Not Defined	0.3%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2021-44906	Critical	9.8	Not Defined	3.5%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2021-42740	Critical	9.8	Not Defined	0.4%	shell-quote-1.6.1.tgz	Transitive	4.14.0	✅
CVE-2020-7720	Critical	9.8	Proof of concept	0.2%	node-forge-0.7.5.tgz	Transitive	2.14.1	✅
CVE-2021-31597	Critical	9.4	Not Defined	0.2%	xmlhttprequest-ssl-1.5.5.tgz	Transitive	2.14.1	✅
CVE-2023-45133	Critical	9.3	Not Defined	0.1%	traverse-7.5.5.tgz	Transitive	2.14.1	✅
CVE-2024-42461	Critical	9.1	Not Defined	0.1%	elliptic-6.5.0.tgz	Transitive	N/A*	❌
CVE-2024-29415	Critical	9.1	Not Defined		ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2022-2900	Critical	9.1	Not Defined	0.2%	parse-url-5.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
CVE-2022-0686	Critical	9.1	Not Defined	0.2%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2021-37713	High	8.2	Not Defined	0.1%	tar-4.4.10.tgz	Transitive	2.14.1	✅
CVE-2021-37712	High	8.2	Not Defined	0.1%	tar-4.4.10.tgz	Transitive	2.14.1	✅
CVE-2021-37701	High	8.2	Not Defined	0.1%	tar-4.4.10.tgz	Transitive	2.14.1	✅
CVE-2021-32804	High	8.2	Not Defined	0.70000005%	tar-4.4.10.tgz	Transitive	2.14.1	✅
CVE-2021-32803	High	8.2	Not Defined	0.70000005%	tar-4.4.10.tgz	Transitive	2.14.1	✅
WS-2020-0443	High	8.1	Not Defined		socket.io-2.2.0.tgz	Transitive	2.14.1	✅
CVE-2022-1650	High	8.1	Not Defined	0.4%	detected in multiple dependencies	Transitive	3.0.0-reach-router.14	✅
CVE-2020-7660	High	8.1	Not Defined	1.0%	serialize-javascript-1.8.0.tgz	Transitive	2.18.7-jobs-api-v2.26	✅
CVE-2020-36604	High	8.1	Not Defined	0.2%	hoek-8.2.1.tgz	Transitive	2.14.1	✅
CVE-2020-28502	High	8.1	Proof of concept	3.0%	xmlhttprequest-ssl-1.5.5.tgz	Transitive	2.14.1	✅
CVE-2021-23386	High	7.7	Not Defined	0.1%	dns-packet-1.3.1.tgz	Transitive	2.14.1	✅
CVE-2020-15256	High	7.7	Not Defined	0.3%	object-path-0.11.4.tgz	Transitive	2.14.1	✅
CVE-2020-13822	High	7.7	Not Defined	0.4%	elliptic-6.5.0.tgz	Transitive	2.14.1	✅
WS-2022-0238	High	7.5	Not Defined		parse-url-5.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
WS-2022-0237	High	7.5	Not Defined		parse-url-5.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
WS-2021-0152	High	7.5	Not Defined		color-string-1.5.3.tgz	Transitive	2.14.1	✅
WS-2020-0091	High	7.5	Not Defined		http-proxy-1.17.0.tgz	Transitive	2.14.1	✅
WS-2020-0042	High	7.5	Not Defined		acorn-6.3.0.tgz	Transitive	2.14.1	✅
CVE-2024-4068	High	7.5	Not Defined	0.0%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	Not Defined	0.0%	detected in multiple dependencies	Transitive	3.13.0	✅
CVE-2022-38900	High	7.5	Not Defined	0.4%	decode-uri-component-0.2.0.tgz	Transitive	2.14.1	✅
CVE-2022-37603	High	7.5	Not Defined	0.70000005%	loader-utils-1.2.3.tgz	Transitive	2.14.1	✅
CVE-2022-3517	High	7.5	Not Defined	0.2%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-31129	High	7.5	Not Defined	0.3%	moment-2.29.2.tgz	Transitive	2.14.1	✅
CVE-2022-24999	High	7.5	Not Defined	1.9%	qs-6.7.0.tgz	Transitive	2.14.1	✅
CVE-2022-24772	High	7.5	Not Defined	0.1%	node-forge-0.7.5.tgz	Transitive	3.13.0	✅
CVE-2022-24771	High	7.5	Not Defined	0.1%	node-forge-0.7.5.tgz	Transitive	3.13.0	✅
CVE-2022-0722	High	7.5	Not Defined	0.1%	parse-url-5.0.1.tgz	Transitive	2.14.1	✅
CVE-2021-3807	High	7.5	Not Defined	0.4%	ansi-regex-4.1.0.tgz	Transitive	2.14.1	✅
CVE-2021-3805	High	7.5	Not Defined	0.3%	object-path-0.11.4.tgz	Transitive	2.14.1	✅
CVE-2021-3803	High	7.5	Not Defined	0.3%	nth-check-1.0.2.tgz	Transitive	3.5.0-telemetry-test.252	✅
CVE-2021-3749	High	7.5	Not Defined	1.9%	axios-0.19.0.tgz	Transitive	2.24.16-ink3.22	✅
CVE-2021-29059	High	7.5	Not Defined	0.4%	is-svg-3.0.0.tgz	Transitive	2.14.1	✅
CVE-2021-28092	High	7.5	Not Defined	0.2%	is-svg-3.0.0.tgz	Transitive	2.14.1	✅
CVE-2021-27290	High	7.5	Not Defined	0.2%	ssri-6.0.1.tgz	Transitive	2.14.1	✅
CVE-2021-23424	High	7.5	Proof of concept	0.2%	ansi-html-0.0.7.tgz	Transitive	2.14.1	✅
CVE-2020-7662	High	7.5	Not Defined	0.2%	websocket-extensions-0.1.3.tgz	Transitive	2.14.1	✅
CVE-2020-36049	High	7.5	Not Defined	0.2%	socket.io-parser-3.3.0.tgz	Transitive	2.14.1	✅
CVE-2020-36048	High	7.5	Not Defined	0.2%	engine.io-3.3.2.tgz	Transitive	2.14.1	✅
CVE-2024-29180	High	7.4	Not Defined	0.0%	webpack-dev-middleware-3.7.0.tgz	Transitive	N/A*	❌
CVE-2020-8203	High	7.4	Not Defined	1.7%	lodash-4.17.15.tgz	Transitive	2.14.1	✅
CVE-2020-4038	High	7.4	Not Defined	0.2%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2024-38355	High	7.3	Not Defined	0.0%	socket.io-2.2.0.tgz	Transitive	5.12.0	✅
CVE-2023-26159	High	7.3	Proof of concept	0.1%	detected in multiple dependencies	Transitive	2.24.16-ink3.22	✅
CVE-2022-0624	High	7.3	Not Defined	0.1%	parse-path-4.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
CVE-2020-8116	High	7.3	Not Defined	0.2%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2020-7788	High	7.3	Proof of concept	1.2%	ini-1.3.5.tgz	Transitive	2.14.1	✅
CVE-2020-7774	High	7.3	Proof of concept	26.9%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2021-23337	High	7.2	Proof of concept	0.9%	lodash-4.17.15.tgz	Transitive	2.14.1	✅
CVE-2022-46175	High	7.1	Not Defined	1.0%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2022-41940	High	7.1	Not Defined	0.1%	engine.io-3.3.2.tgz	Transitive	2.14.1	✅
CVE-2020-28498	Medium	6.8	Not Defined	0.1%	elliptic-6.5.0.tgz	Transitive	2.14.1	✅
WS-2022-0008	Medium	6.6	Not Defined		node-forge-0.7.5.tgz	Transitive	3.13.0	✅
CVE-2024-28863	Medium	6.5	Not Defined	0.0%	tar-4.4.10.tgz	Transitive	N/A*	❌
CVE-2024-28849	Medium	6.5	Not Defined	0.0%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-46234	Medium	6.5	Not Defined	0.1%	browserify-sign-4.0.4.tgz	Transitive	2.14.1	✅
CVE-2023-45857	Medium	6.5	Not Defined	0.1%	axios-0.19.0.tgz	Transitive	2.24.16-ink3.22	✅
CVE-2022-1365	Medium	6.5	Not Defined	0.1%	cross-fetch-2.2.2.tgz	Transitive	2.24.16-ink3.22	✅
CVE-2022-0155	Medium	6.5	Not Defined	0.2%	detected in multiple dependencies	Transitive	2.24.16-ink3.22	✅
CVE-2024-43788	Medium	6.4	Not Defined	0.1%	webpack-4.39.2.tgz	Transitive	N/A*	❌
CVE-2020-36632	Medium	6.3	Not Defined	0.70000005%	flat-4.1.0.tgz	Transitive	2.14.1	✅
WS-2022-0239	Medium	6.1	Not Defined		parse-url-5.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
CVE-2024-29041	Medium	6.1	Not Defined	0.0%	express-4.17.1.tgz	Transitive	N/A*	❌
CVE-2022-3224	Medium	6.1	Not Defined	0.1%	parse-url-5.0.1.tgz	Transitive	2.18.13-telemetry-test.2972	✅
CVE-2022-2218	Medium	6.1	Not Defined	0.1%	parse-url-5.0.1.tgz	Transitive	2.14.1	✅
CVE-2022-2217	Medium	6.1	Not Defined	0.1%	parse-url-5.0.1.tgz	Transitive	2.14.1	✅
CVE-2022-0235	Medium	6.1	Not Defined	0.4%	detected in multiple dependencies	Transitive	4.22.0	✅
CVE-2022-0122	Medium	6.1	Not Defined	0.1%	node-forge-0.7.5.tgz	Transitive	3.13.0	✅
WS-2019-0427	Medium	5.9	Not Defined		elliptic-6.5.0.tgz	Transitive	2.14.1	✅
WS-2019-0424	Medium	5.9	Not Defined		elliptic-6.5.0.tgz	Transitive	2.14.1	✅
CVE-2020-28168	Medium	5.9	Not Defined	0.3%	axios-0.19.0.tgz	Transitive	2.31.0	✅
CVE-2021-24033	Medium	5.6	Not Defined	0.2%	react-dev-utils-4.2.3.tgz	Transitive	3.0.0-reach-router.14	✅
CVE-2021-23434	Medium	5.6	Not Defined	0.70000005%	object-path-0.11.4.tgz	Transitive	2.14.1	✅
CVE-2020-7598	Medium	5.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2020-15366	Medium	5.6	Not Defined	0.4%	ajv-6.10.2.tgz	Transitive	2.14.1	✅
CVE-2024-42460	Medium	5.3	Not Defined	0.0%	elliptic-6.5.0.tgz	Transitive	N/A*	❌
CVE-2024-42459	Medium	5.3	Not Defined	0.0%	elliptic-6.5.0.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	Not Defined	0.0%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-44270	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	5.0.0	✅
CVE-2022-25883	Medium	5.3	Proof of concept	0.2%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-25881	Medium	5.3	Not Defined	0.2%	http-cache-semantics-3.8.1.tgz	Transitive	3.14.0	✅
CVE-2022-25858	Medium	5.3	Not Defined	0.2%	terser-4.2.1.tgz	Transitive	2.14.1	✅
CVE-2022-24773	Medium	5.3	Not Defined	0.1%	node-forge-0.7.5.tgz	Transitive	3.13.0	✅
CVE-2022-0639	Medium	5.3	Not Defined	0.1%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2022-0512	Medium	5.3	Not Defined	0.1%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2021-3664	Medium	5.3	Not Defined	0.1%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2021-32640	Medium	5.3	Not Defined	0.2%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2021-29060	Medium	5.3	Not Defined	0.2%	color-string-1.5.3.tgz	Transitive	2.14.1	✅
CVE-2021-27515	Medium	5.3	Not Defined	0.2%	url-parse-1.4.7.tgz	Transitive	2.14.1	✅
CVE-2021-23382	Medium	5.3	Not Defined	0.2%	detected in multiple dependencies	Transitive	3.0.0-reach-router.14	✅
CVE-2021-23368	Medium	5.3	Not Defined	0.5%	postcss-7.0.17.tgz	Transitive	3.0.0-reach-router.14	✅
CVE-2021-23364	Medium	5.3	Proof of concept	0.2%	browserslist-4.6.6.tgz	Transitive	2.14.1	✅
CVE-2021-23362	Medium	5.3	Proof of concept	0.3%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2021-23343	Medium	5.3	Not Defined	0.3%	path-parse-1.0.6.tgz	Transitive	2.14.1	✅
CVE-2020-7693	Medium	5.3	Proof of concept	0.9%	sockjs-0.3.19.tgz	Transitive	2.14.1	✅
CVE-2020-7608	Medium	5.3	Not Defined	0.0%	detected in multiple dependencies	Transitive	2.18.4	✅
CVE-2020-28500	Medium	5.3	Proof of concept	0.2%	lodash-4.17.15.tgz	Transitive	2.14.1	✅
CVE-2020-28481	Medium	5.3	Proof of concept	0.2%	socket.io-2.2.0.tgz	Transitive	2.14.1	✅
CVE-2020-28469	Medium	5.3	Not Defined	1.2%	glob-parent-3.1.0.tgz	Transitive	3.13.0	✅
WS-2019-0307	Medium	5.1	Not Defined		mem-1.1.0.tgz	Transitive	2.18.4	✅
CVE-2023-34238	Medium	4.3	Not Defined	0.1%	gatsby-2.14.0.tgz	Direct	4.25.7	✅
CVE-2019-16769	Medium	4.2	Not Defined	0.1%	serialize-javascript-1.8.0.tgz	Transitive	2.18.7-jobs-api-v2.26	✅
CVE-2017-16137	Low	3.7	Not Defined	0.3%	detected in multiple dependencies	Transitive	2.14.1	✅
CVE-2022-0536	Low	2.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	2.24.16-ink3.22	✅
CVE-2020-15168	Low	2.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	2.24.16-ink3.22	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (11 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-2421

Vulnerable Library - socket.io-parser-3.3.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • socket.io-2.2.0.tgz
    • ❌ socket.io-parser-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-25

URL: CVE-2022-2421

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qm95-pgcg-qqfq

Release Date: 2022-10-26

Fix Resolution (socket.io-parser): 3.3.3

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

MSC-2023-16609

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • webpack-dev-server-3.8.0.tgz
    • chokidar-2.1.8.tgz
      • ❌ fsevents-1.2.9.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Publish Date: 2023-09-20

URL: MSC-2023-16609

Threat Assessment

Exploit Maturity: High

EPSS:

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-45311

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • webpack-dev-server-3.8.0.tgz
    • chokidar-2.1.8.tgz
      • ❌ fsevents-1.2.9.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Publish Date: 2023-10-06

URL: CVE-2023-45311

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311

Release Date: 2023-10-06

Fix Resolution (fsevents): 1.2.11

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • webpack-dev-server-3.8.0.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • url-loader-1.1.2.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-2216

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • gatsby-telemetry-1.1.19.tgz
    • git-up-4.0.1.tgz
      • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2216

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/

Release Date: 2022-06-27

Fix Resolution (parse-url): 6.0.1

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0691

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • react-dev-utils-4.2.3.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • url-loader-1.1.2.tgz
    • loader-utils-1.2.3.tgz
      • json5-1.0.1.tgz
        • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.5%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (gatsby): 2.14.1

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • react-dev-utils-4.2.3.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (gatsby): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7720

Vulnerable Library - node-forge-0.7.5.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.5.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • webpack-dev-server-3.8.0.tgz
    • selfsigned-1.10.4.tgz
      • ❌ node-forge-0.7.5.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-31597

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /website/package.json

Path to vulnerable library: /website/package.json

Dependency Hierarchy:

• gatsby-2.14.0.tgz (Root Library)
  • socket.io-2.2.0.tgz
    • socket.io-client-2.2.0.tgz
      • engine.io-client-3.3.2.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 7a067a8a50efe072f22c389c82d3cded33c3805c

Found in base branch: master

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-22

URL: CVE-2021-31597

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-22

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (gatsby): 2.14.1

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.