CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz
mend-for-github-com opened this issue · comments
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /tmp/ws-scm/cosmos-ui/package.json
Path to vulnerable library: /tmp/ws-scm/cosmos-ui/node_modules/path-parse
Dependency Hierarchy:
- webpacker-4.3.0.tgz (Root Library)
- node-sass-4.14.1.tgz
- meow-3.7.0.tgz
- normalize-package-data-2.5.0.tgz
- resolve-1.12.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.12.0.tgz
- normalize-package-data-2.5.0.tgz
- meow-3.7.0.tgz
- node-sass-4.14.1.tgz
Found in base branch: develop
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.