WS-2018-0107 (High) detected in open-0.0.4.tgz
mend-bolt-for-github opened this issue · comments
WS-2018-0107 - High Severity Vulnerability
Vulnerable Library - open-0.0.4.tgz
open a file or url in the user's preferred application
Library home page: https://registry.npmjs.org/open/-/open-0.0.4.tgz
Path to dependency file: caite/package.json
Path to vulnerable library: caite/node_modules/open/package.json
Dependency Hierarchy:
- grunt-contrib-connect-0.5.0.tgz (Root Library)
- ❌ open-0.0.4.tgz (Vulnerable Library)
Found in HEAD commit: cd9951c688404f842b5b42d372e5ac4d387ff367
Found in base branch: master
Vulnerability Details
All versions of open are vulnerable to command injection when unsanitized user input is passed in.
Publish Date: 2018-05-16
URL: WS-2018-0107
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/663
Release Date: 2018-05-16
Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.
Step up your Open Source Security Game with WhiteSource here