CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz

[mend-for-github-com]

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• has-ansi-3.0.0.tgz (Root Library)
  • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

• github-checks-reporter-0.0.20-b3.tgz (Root Library)
  • strip-ansi-5.2.0.tgz
    • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (has-ansi): 5.0.0

[tmarkley]

$ yarn why ansi-regex
yarn why v1.22.17
[1/4] Why do we have the module "ansi-regex"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ansi-regex@2.1.1"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - "workspace-aggregator-951a1914-7a65-48a8-9ec3-0f4c55d91856" depends on it
   - Hoisted from "_project_#elasticsearch#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#inquirer#ansi-regex"
   - Hoisted from "_project_#elasticsearch#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#cli-truncate#string-width#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#npmlog#gauge#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "has-ansi#ansi-regex@3.0.0"
info This module exists because "_project_#has-ansi" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "pretty-format#ansi-regex@5.0.0"
info This module exists because "_project_#pretty-format" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#ansi-regex@5.0.1"
info This module exists because "_project_#strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "grunt-run#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#grunt-run#strip-ansi" depends on it
   - Hoisted from "_project_#grunt-run#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/strip-ansi#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@elastic/github-checks-reporter#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@elastic#github-checks-reporter#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#github-checks-reporter#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "eslint#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#eslint#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/jest#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "license-checker#ansi-regex@0.2.1"
info Reasons this module exists
   - "_project_#license-checker#chalk#has-ansi" depends on it
   - Hoisted from "_project_#license-checker#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#license-checker#chalk#strip-ansi#ansi-regex"
info Disk size without dependencies: "12KB"
info Disk size with unique dependencies: "12KB"
info Disk size with transitive dependencies: "12KB"
info Number of shared dependencies: 0
=> Found "grunt-available-tasks#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#grunt-available-tasks#chalk#has-ansi" depends on it
   - Hoisted from "_project_#grunt-available-tasks#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#grunt-available-tasks#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/pm#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@osd#pm#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#pm#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/test#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@osd#test#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#test#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "yargs#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cliui#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#cliui#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/testing-library__jest-dom#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "webpack-dev-server#ansi-regex@6.0.1"
info Reasons this module exists
   - "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi#ansi-regex"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@osd/ui-framework#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wide-align#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#mocha#wide-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#mocha#wide-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wrap-ansi#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#cliui#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "table#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@testing-library/jest-dom#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "sass-lint#table#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#sass-lint#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#sass-lint#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "log-update#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "ansi-align#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
Done in 1.60s.

[tmarkley]

$ npm ls ansi-regex
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
├─┬ @elastic/github-checks-reporter@0.0.20b3
│ └─┬ strip-ansi@5.2.0
│   └── ansi-regex@4.1.0
├─┬ @elastic/makelogs@6.0.0
│ └─┬ update-notifier@0.5.0
│   └─┬ chalk@1.1.3
│     ├─┬ has-ansi@2.0.0
│     │ └── ansi-regex@2.1.1 deduped
│     └─┬ strip-ansi@3.0.1
│       └── ansi-regex@2.1.1 deduped
├─┬ @elastic/safer-lodash-set@0.0.0 -> ./packages/opensearch-safer-lodash-set
│ └─┬ tsd@0.16.0
│   └─┬ update-notifier@4.1.0
│     └─┬ boxen@4.2.0
│       └─┬ ansi-align@3.0.0
│         └─┬ string-width@3.1.0
│           └─┬ strip-ansi@5.2.0
│             └── ansi-regex@4.1.0
├─┬ @osd/optimizer@1.0.0 -> ./packages/osd-optimizer
│ └─┬ node-sass@6.0.1
│   ├─┬ chalk@1.1.3
│   │ ├─┬ has-ansi@2.0.0
│   │ │ └── ansi-regex@2.1.1 deduped
│   │ └─┬ strip-ansi@3.0.1
│   │   └── ansi-regex@2.1.1 deduped
│   └─┬ npmlog@4.1.2
│     └─┬ gauge@2.7.4
│       └─┬ strip-ansi@3.0.1
│         └── ansi-regex@2.1.1 deduped
├─┬ @osd/pm@1.0.0 -> ./packages/osd-pm
│ └─┬ @types/strip-ansi@5.2.1
│   └─┬ strip-ansi@5.2.0
│     └── ansi-regex@4.1.0
├─┬ @osd/test@1.0.0 -> ./packages/osd-test
│ └─┬ @types/strip-ansi@5.2.1
│   └─┬ strip-ansi@5.2.0
│     └── ansi-regex@4.1.0
├─┬ @osd/ui-framework@1.0.0 -> ./packages/osd-ui-framework
│ ├─┬ grunt-contrib-copy@1.0.0
│ │ └─┬ chalk@1.1.3
│ │   ├─┬ has-ansi@2.0.0
│ │   │ └── ansi-regex@2.1.1
│ │   └─┬ strip-ansi@3.0.1
│ │     └── ansi-regex@2.1.1 deduped
│ └─┬ webpack-dev-server@4.7.4
│   └─┬ strip-ansi@7.0.1
│     └── ansi-regex@6.0.1
├─┬ @testing-library/dom@7.24.2
│ └─┬ pretty-format@26.4.2
│   └── ansi-regex@5.0.0
├─┬ @testing-library/jest-dom@5.11.4
│ └─┬ @types/testing-library__jest-dom@5.9.2
│   └─┬ @types/jest@25.2.3
│     └─┬ pretty-format@25.5.0
│       └── ansi-regex@5.0.0
├─┬ @types/jest@26.0.14
│ └─┬ pretty-format@25.5.0
│   └── ansi-regex@5.0.0
├─┬ @types/strip-ansi@5.2.1
│ └─┬ strip-ansi@5.2.0
│   └── ansi-regex@4.1.0
├─┬ @types/testing-library__jest-dom@5.9.3
│ └─┬ @types/jest@25.2.3
│   └─┬ pretty-format@25.5.0
│     └── ansi-regex@5.0.0
├─┬ elasticsearch@16.7.0
│ └─┬ chalk@1.1.3
│   ├─┬ has-ansi@2.0.0
│   │ └── ansi-regex@2.1.1
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ eslint@6.8.0
│ ├─┬ strip-ansi@5.2.0
│ │ └── ansi-regex@4.1.0
│ └─┬ table@5.2.3
│   └─┬ string-width@3.1.0
│     └─┬ strip-ansi@5.2.0
│       └── ansi-regex@4.1.0
├─┬ grunt-available-tasks@0.6.3
│ └─┬ chalk@1.1.3
│   ├─┬ has-ansi@2.0.0
│   │ └── ansi-regex@2.1.1
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ grunt-run@0.8.1
│ └─┬ strip-ansi@3.0.1
│   └── ansi-regex@2.1.1
├─┬ has-ansi@3.0.0
│ └── ansi-regex@3.0.0
├─┬ license-checker@16.0.0
│ └─┬ chalk@0.5.1
│   ├─┬ has-ansi@0.1.0
│   │ └── ansi-regex@0.2.1
│   └─┬ strip-ansi@0.3.0
│     └── ansi-regex@0.2.1 deduped
├─┬ listr@0.14.3
│ └─┬ listr-update-renderer@0.5.0
│   ├─┬ chalk@1.1.3
│   │ └─┬ has-ansi@2.0.0
│   │   └── ansi-regex@2.1.1 deduped
│   ├─┬ cli-truncate@0.2.1
│   │ └─┬ string-width@1.0.2
│   │   └─┬ strip-ansi@3.0.1
│   │     └── ansi-regex@2.1.1 deduped
│   ├─┬ log-update@2.3.0
│   │ └─┬ wrap-ansi@3.0.1
│   │   └─┬ strip-ansi@4.0.0
│   │     └── ansi-regex@3.0.0
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ mocha@7.2.0
│ ├─┬ wide-align@1.1.3
│ │ └─┬ string-width@2.1.1
│ │   └─┬ strip-ansi@4.0.0
│ │     └── ansi-regex@3.0.0
│ └─┬ yargs@13.3.2
│   ├─┬ cliui@5.0.0
│   │ ├─┬ strip-ansi@5.2.0
│   │ │ └── ansi-regex@4.1.0
│   │ └─┬ wrap-ansi@5.1.0
│   │   └─┬ strip-ansi@5.2.0
│   │     └── ansi-regex@4.1.0
│   └─┬ string-width@3.1.0
│     └─┬ strip-ansi@5.2.0
│       └── ansi-regex@4.1.0
├─┬ sass-lint@1.12.1
│ └─┬ eslint@2.13.1
│   ├─┬ chalk@1.1.3
│   │ ├─┬ has-ansi@2.0.0
│   │ │ └── ansi-regex@2.1.1 deduped
│   │ └─┬ strip-ansi@3.0.1
│   │   └── ansi-regex@2.1.1 deduped
│   ├─┬ inquirer@0.12.0
│   │ └── ansi-regex@2.1.1 deduped
│   └─┬ table@3.8.3
│     └─┬ string-width@2.1.1
│       └─┬ strip-ansi@4.0.0
│         └── ansi-regex@3.0.0
└─┬ strip-ansi@6.0.1
  └── ansi-regex@5.0.1