CVE-2022-3517 (High) detected in multiple libraries #133

mend-for-github-com · 2022-10-19T13:18:33Z

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Libraries - minimatch-3.0.4.tgz, minimatch-2.0.10.tgz, minimatch-0.3.0.tgz, minimatch-0.2.14.tgz

minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /MqttStreamUsingNanoscale/package.json

Path to vulnerable library: /bower_components/webcomponentsjs/node_modules/rimraf/node_modules/minimatch/package.json,/bower_components/webcomponentsjs/node_modules/rimraf/node_modules/minimatch/package.json

Dependency Hierarchy:

app-scripts-0.0.45.tgz (Root Library)
- chokidar-1.6.1.tgz
  - fsevents-1.2.9.tgz
    - node-pre-gyp-0.12.0.tgz
      - rimraf-2.6.3.tgz
        
        glob-7.1.3.tgz
        
        ❌ minimatch-3.0.4.tgz (Vulnerable Library)

minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /MqttStreamUsingNanoscale/bower_components/webcomponentsjs/package.json

Path to vulnerable library: /bower_components/webcomponentsjs/node_modules/minimatch/package.json

Dependency Hierarchy:

web-component-tester-4.3.7.tgz (Root Library)
- glob-5.0.15.tgz
  - ❌ minimatch-2.0.10.tgz (Vulnerable Library)

minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: /MqttStreamUsingNanoscale/bower_components/webcomponentsjs/package.json

Path to vulnerable library: /bower_components/webcomponentsjs/node_modules/mocha/node_modules/minimatch/package.json,/bower_components/webcomponentsjs/node_modules/mocha/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- findup-sync-0.1.3.tgz
  - glob-3.2.11.tgz
    - ❌ minimatch-0.3.0.tgz (Vulnerable Library)

minimatch-0.2.14.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Path to dependency file: /MqttStreamUsingNanoscale/bower_components/promise-polyfill/package.json

Path to vulnerable library: /bower_components/promise-polyfill/node_modules/minimatch/package.json,/bower_components/promise-polyfill/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ minimatch-0.2.14.tgz (Vulnerable Library)

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Oct 19, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-3517 (High) detected in multiple libraries #133

CVE-2022-3517 (High) detected in multiple libraries #133

mend-for-github-com bot commented Oct 19, 2022 •

edited

Loading

CVE-2022-3517 (High) detected in multiple libraries #133

CVE-2022-3517 (High) detected in multiple libraries #133

Comments

mend-for-github-com bot commented Oct 19, 2022 • edited Loading

CVE-2022-3517 - High Severity Vulnerability

mend-for-github-com bot commented Oct 19, 2022 •

edited

Loading