CVE-2022-1214 (High) detected in axios-0.21.4.tgz - autoclosed
mend-bolt-for-github opened this issue · comments
CVE-2022-1214 - High Severity Vulnerability
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- scripts-20.0.2.tgz (Root Library)
- jest-dev-server-6.0.3.tgz
- wait-on-6.0.0.tgz
- ❌ axios-0.21.4.tgz (Vulnerable Library)
- wait-on-6.0.0.tgz
- jest-dev-server-6.0.3.tgz
Found in HEAD commit: 6e73a53ebf6ec45fb9a872a4937a93fe0096acce
Found in base branch: main
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.