ibm-watson-5.1.0.tgz: 15 vulnerabilities (highest severity is: 7.8)

[mend-for-github-com]

Vulnerable Library - ibm-watson-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (ibm-watson version)	Remediation Possible**
CVE-2021-43138	High	7.8	async-2.6.3.tgz	Transitive	5.2.0	✅
CVE-2020-8203	High	7.4	lodash-4.17.15.tgz	Transitive	5.2.0	✅
CVE-2023-26159	High	7.3	follow-redirects-1.5.10.tgz	Transitive	5.6.0	✅
CVE-2021-23337	High	7.2	lodash-4.17.15.tgz	Transitive	5.2.0	✅
CVE-2024-28849	Medium	6.5	follow-redirects-1.5.10.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-0.18.1.tgz	Transitive	5.6.0	✅
CVE-2022-0155	Medium	6.5	follow-redirects-1.5.10.tgz	Transitive	5.6.0	✅
CVE-2022-23540	Medium	6.4	jsonwebtoken-8.5.1.tgz	Transitive	7.1.0	✅
CVE-2022-23539	Medium	5.9	jsonwebtoken-8.5.1.tgz	Transitive	7.1.0	✅
CVE-2020-28168	Medium	5.9	axios-0.18.1.tgz	Transitive	5.6.0	✅
CVE-2022-25883	Medium	5.3	detected in multiple dependencies	Transitive	7.1.0	✅
CVE-2020-28500	Medium	5.3	lodash-4.17.15.tgz	Transitive	5.2.0	✅
CVE-2022-23541	Medium	5.0	jsonwebtoken-8.5.1.tgz	Transitive	7.1.0	✅
CVE-2017-16137	Low	3.7	debug-4.1.1.tgz	Transitive	5.2.0	✅
CVE-2022-0536	Low	2.6	follow-redirects-1.5.10.tgz	Transitive	5.6.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (ibm-watson): 5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • async-2.6.3.tgz
    • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (ibm-watson): 5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26159

Vulnerable Library - follow-redirects-1.5.10.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • axios-0.18.1.tgz
    • ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (ibm-watson): 5.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • async-2.6.3.tgz
    • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (ibm-watson): 5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-28849

Vulnerable Library - follow-redirects-1.5.10.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • axios-0.18.1.tgz
    • ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

CVE-2023-45857

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ❌ axios-0.18.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution (axios): 0.20.0

Direct dependency fix Resolution (ibm-watson): 5.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0155

Vulnerable Library - follow-redirects-1.5.10.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • axios-0.18.1.tgz
    • ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (ibm-watson): 5.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (ibm-watson): 7.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-22

URL: CVE-2022-23539

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (ibm-watson): 7.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28168

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ❌ axios-0.18.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (ibm-watson): 5.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Libraries - semver-5.7.1.tgz, semver-6.3.0.tgz

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/semver/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • jsonwebtoken-8.5.1.tgz
      • ❌ semver-5.7.1.tgz (Vulnerable Library)

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (ibm-watson): 7.1.0

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (ibm-watson): 7.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • async-2.6.3.tgz
    • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (ibm-watson): 5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (ibm-watson): 7.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-16137

Vulnerable Library - debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ibm-cloud-sdk-core/node_modules/debug/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • ibm-cloud-sdk-core-1.3.0.tgz
    • ❌ debug-4.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-06-07

Fix Resolution (debug): 4.3.1

Direct dependency fix Resolution (ibm-watson): 5.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0536

Vulnerable Library - follow-redirects-1.5.10.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• ibm-watson-5.1.0.tgz (Root Library)
  • axios-0.18.1.tgz
    • ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (2.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (ibm-watson): 5.6.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.