Vulnerable Library - enzyme-2.9.1.tgz
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/lodash.merge/package.json
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (enzyme version) |
Remediation Possible** |
| CVE-2019-10744 |
 Critical |
9.1 |
lodash.merge-4.6.1.tgz |
Transitive |
3.0.0 |
❌ |
| CVE-2021-3803 |
 High |
7.5 |
nth-check-1.0.2.tgz |
Transitive |
3.0.0 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10744
Vulnerable Library - lodash.merge-4.6.1.tgz
The Lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/lodash.merge/package.json
Dependency Hierarchy:
- enzyme-2.9.1.tgz (Root Library)
- cheerio-0.22.0.tgz
- ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.merge): 4.6.2
Direct dependency fix Resolution (enzyme): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/nth-check/package.json
Dependency Hierarchy:
- enzyme-2.9.1.tgz (Root Library)
- cheerio-0.22.0.tgz
- css-select-1.2.0.tgz
- ❌ nth-check-1.0.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (enzyme): 3.0.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/lodash.merge/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - lodash.merge-4.6.1.tgz
The Lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/lodash.merge/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.merge): 4.6.2
Direct dependency fix Resolution (enzyme): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /react-google-map-apis/package.json
Path to vulnerable library: /tmp/git/react-google-map-apis/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (enzyme): 3.0.0
Step up your Open Source Security Game with Mend here