CVE-2021-23362 (Medium) detected in multiple libraries #251
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-23362 - Medium Severity Vulnerability
hosted-git-info-2.6.0.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.6.0.tgz
Path to dependency file: amplify-cli/packages/amplify-cli/package.json
Path to vulnerable library: amplify-cli/packages/amplify-cli/node_modules/nyc/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
hosted-git-info-2.1.5.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.5.tgz
Path to dependency file: amplify-cli/packages/amplify-category-interactions/package.json
Path to vulnerable library: amplify-cli/packages/amplify-category-interactions/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-cli/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-function/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-api/node_modules/npm/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
hosted-git-info-2.8.8.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: amplify-cli/packages/amplify-frontend-android/package.json
Path to vulnerable library: amplify-cli/packages/amplify-frontend-android/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-transformer-common/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-elasticsearch-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-frontend-ios/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-analytics/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-appsync-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-codegen/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-http-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-hosting/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-connection-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-versioned-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-mapping-template/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-graphql-docs-generator/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-provider-awscloudformation/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-transformer-core/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-api/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-graphql-types-generator/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-cli/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-transformers-e2e-tests/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-codegen/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-storage/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-auth/node_modules/hosted-git-info/package.json,amplify-cli/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-interactions/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-cli/node_modules/aws-appsync-codegen/node_modules/npm/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-auth-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-provider-awscloudformation/node_modules/hosted-git-info/package.json,amplify-cli/packages/graphql-dynamodb-transformer/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-function/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-category-notifications/node_modules/hosted-git-info/package.json,amplify-cli/packages/amplify-frontend-javascript/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: c892e7a09cac285bd9b40ad38879032a4afe4b4a
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/npm/hosted-git-info/releases/tag/v3.0.8
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 3.0.8
The text was updated successfully, but these errors were encountered: