CVE-2016-1000236 (Medium) detected in cookie-signature-1.0.1.tgz
mend-bolt-for-github opened this issue · comments
CVE-2016-1000236 - Medium Severity Vulnerability
Vulnerable Library - cookie-signature-1.0.1.tgz
Sign and unsign cookies
Library home page: https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.1.tgz
Path to dependency file: caite/package.json
Path to vulnerable library: caite/node_modules/cookie-signature/package.json
Dependency Hierarchy:
- grunt-contrib-connect-0.5.0.tgz (Root Library)
- connect-2.7.11.tgz
- ❌ cookie-signature-1.0.1.tgz (Vulnerable Library)
- connect-2.7.11.tgz
Found in HEAD commit: cd9951c688404f842b5b42d372e5ac4d387ff367
Found in base branch: master
Vulnerability Details
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.
Publish Date: 2019-11-19
URL: CVE-2016-1000236
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: tj/node-cookie-signature@3979108
Release Date: 2019-11-19
Fix Resolution: 1.0.4
Step up your Open Source Security Game with WhiteSource here