grunt-contrib-compress-1.6.0.tgz: 2 vulnerabilities (highest severity is: 9.8) unreachable

[mend-for-github-com]

Vulnerable Library - grunt-contrib-compress-1.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (grunt-contrib-compress version)	Remediation Possible**	Reachability
CVE-2021-44906	Critical	9.8	Not Defined	2.3%	minimist-1.2.5.tgz	Transitive	2.0.0	✅	Unreachable
CVE-2022-0355	High	8.8	Not Defined	0.3%	simple-get-3.1.0.tgz	Transitive	2.0.0	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• grunt-contrib-compress-1.6.0.tgz (Root Library)
  • iltorb-2.4.5.tgz
    • prebuild-install-5.3.6.tgz
      • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Found in base branches: develop, master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (grunt-contrib-compress): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0355

Vulnerable Library - simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Dependency Hierarchy:

• grunt-contrib-compress-1.6.0.tgz (Root Library)
  • iltorb-2.4.5.tgz
    • prebuild-install-5.3.6.tgz
      • ❌ simple-get-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Found in base branches: develop, master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution (simple-get): 3.1.1

Direct dependency fix Resolution (grunt-contrib-compress): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.