Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-25844 (High) detected in angular-1.8.2.tgz - autoclosed #1558

Closed
mend-for-github-com bot opened this issue May 6, 2022 · 2 comments
Closed

CVE-2022-25844 (High) detected in angular-1.8.2.tgz - autoclosed #1558

mend-for-github-com bot opened this issue May 6, 2022 · 2 comments
Labels
cve Security vulnerabilities detected by Dependabot or Mend de-angular de-angularize work dependencies Pull requests that update a dependency file high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.11.0

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented May 6, 2022
edited

CVE-2022-25844 - High Severity Vulnerability

Vulnerable Library - angular-1.8.2.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/angular/package.json,/node_modules/angular/package.json

Dependency Hierarchy:

  • angular-1.8.2.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. Note: 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

Publish Date: 2022-05-01

URL: CVE-2022-25844

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 6, 2022
@boktorbb boktorbb self-assigned this May 6, 2022
@boktorbb
Copy link
Contributor

boktorbb commented May 6, 2022 

yarn why angular
yarn why v1.22.5
[1/4] Why do we have the module "angular"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "angular@1.8.2"
info Has been hoisted to "angular"
info Reasons this module exists
   - "workspace-aggregator-b2776c5c-b428-4f9a-8756-be4c8103a438" depends on it
   - Specified in "dependencies"
   - Hoisted from "_project_#angular-elastic#angular"
   - Hoisted from "_project_#@osd#ui-shared-deps#angular"
   - Hoisted from "_project_#angular"
info Disk size without dependencies: "2.02MB"
info Disk size with unique dependencies: "2.02MB"
info Disk size with transitive dependencies: "2.02MB"
info Number of shared dependencies: 0

@tmarkley tmarkley added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels May 6, 2022
@tmarkley tmarkley mentioned this issue May 6, 2022
Closed
@boktorbb boktorbb assigned kavilla and unassigned boktorbb May 9, 2022
@mend-for-github-com mend-for-github-com bot changed the title CVE-2022-25844 (Medium) detected in angular-1.8.2.tgz CVE-2022-25844 (High) detected in angular-1.8.2.tgz May 12, 2022
@tmarkley tmarkley added high severity High severity CVE and removed medium severity Medium severity CVE labels May 20, 2022
@kavilla kavilla mentioned this issue Jul 24, 2022
Closed
This was referenced Aug 23, 2022
Closed
Closed
@zhongnansu zhongnansu added the de-angular de-angularize work label Nov 14, 2022
@joshuarrrr joshuarrrr added the dependencies Pull requests that update a dependency file label Jan 11, 2023
@ashwin-pc ashwin-pc mentioned this issue Sep 13, 2023
Closed
@mend-for-github-com
Copy link
Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

@mend-for-github-com mend-for-github-com bot changed the title CVE-2022-25844 (High) detected in angular-1.8.2.tgz CVE-2022-25844 (High) detected in angular-1.8.2.tgz - autoclosed Sep 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend de-angular de-angularize work dependencies Pull requests that update a dependency file high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.11.0
Projects
Dashboards DeAngularization
Status: Done
Milestone
No milestone
Development

No branches or pull requests
6 participants
@joshuarrrr @tmarkley @kavilla @ashwin-pc @zhongnansu @boktorbb