[Checkmarx][OSA] CVE-2020-15168 - Score 5.3 - node-fetch:2.6.0

Question

[Checkmarx][OSA] CVE-2020-15168 - Score 5.3 - node-fetch:2.6.0

github-actions opened this issue 4 years ago · comments

Library Details
Library ID: ECBA10266EA102DD59CC6C89A3FBDE41322C4540
Library Name: node-fetch
Library Version: 2.6.0
Library Source File Name:
Library Confidence Level: 100

CVE Details
CVE Name: CVE-2020-15168
CVE Score: 5.3
Severity: Medium
State: TO_VERIFY
CVE Publish Date: 2020-09-10T19:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15168
CVE Description: node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to get files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Recommendations
Library Newest Version: 2.6.1
Library Newest Version Release Date: 2020-09-05T13:00:44
Library Number of Versions Since Last Update: 1
Recommendations: Upgrade to 2.6.1

github-actions · Answer 1 · Fri Dec 18 2020 20:14:20 GMT+0800 (China Standard Time)

Vulnerability does not exist anymore.
Issue was fixed!

github-actions · Answer 2 · Fri Dec 18 2020 20:14:21 GMT+0800 (China Standard Time)

Vulnerability does not exist anymore.
Issue was fixed!

github-actions · Answer 3 · Fri Dec 18 2020 20:15:31 GMT+0800 (China Standard Time)

Library Details
Library ID: ECBA10266EA102DD59CC6C89A3FBDE41322C4540
Library Name: node-fetch
Library Version: 2.6.0
Library Source File Name:
Library Confidence Level: 100

CVE Details
CVE Name: CVE-2020-15168
CVE Score: 5.3
Severity: Medium
State: TO_VERIFY
CVE Publish Date: 2020-09-10T19:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15168
CVE Description: node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to get files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Recommendations
Library Newest Version: 2.6.1
Library Newest Version Release Date: 2020-09-05T13:00:44
Library Number of Versions Since Last Update: 1
Recommendations: Upgrade to 2.6.1

github-actions · Answer 4 · Fri Dec 18 2020 20:15:52 GMT+0800 (China Standard Time)

Vulnerability does not exist anymore.
Issue was fixed!

github-actions · Answer 5 · Fri Dec 18 2020 20:15:53 GMT+0800 (China Standard Time)

Vulnerability does not exist anymore.
Issue was fixed!

github-actions · Answer 6 · Fri Dec 18 2020 20:18:32 GMT+0800 (China Standard Time)

Library Details
Library ID: ECBA10266EA102DD59CC6C89A3FBDE41322C4540
Library Name: node-fetch
Library Version: 2.6.0
Library Source File Name:
Library Confidence Level: 100

CVE Details
CVE Name: CVE-2020-15168
CVE Score: 5.3
Severity: Medium
State: TO_VERIFY
CVE Publish Date: 2020-09-10T19:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15168
CVE Description: node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to get files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Recommendations
Library Newest Version: 2.6.1
Library Newest Version Release Date: 2020-09-05T13:00:44
Library Number of Versions Since Last Update: 1
Recommendations: Upgrade to 2.6.1

github-actions · Answer 7 · Fri Dec 18 2020 20:18:50 GMT+0800 (China Standard Time)

Library Details
Library ID: ECBA10266EA102DD59CC6C89A3FBDE41322C4540
Library Name: node-fetch
Library Version: 2.6.0
Library Source File Name:
Library Confidence Level: 100

CVE Details
CVE Name: CVE-2020-15168
CVE Score: 5.3
Severity: Medium
State: TO_VERIFY
CVE Publish Date: 2020-09-10T19:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15168
CVE Description: node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to get files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Recommendations
Library Newest Version: 2.6.1
Library Newest Version Release Date: 2020-09-05T13:00:44
Library Number of Versions Since Last Update: 1
Recommendations: Upgrade to 2.6.1