WS-2018-0069 (High) detected in is-my-json-valid-2.13.1.tgz - autoclosed
mend-bolt-for-github opened this issue · comments
WS-2018-0069 - High Severity Vulnerability
Vulnerable Library - is-my-json-valid-2.13.1.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npmi/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
- gitbook-cli-2.3.2.tgz (Root Library)
- npmi-1.0.1.tgz
- npm-2.15.12.tgz
- request-2.74.0.tgz
- har-validator-2.0.6.tgz
- ❌ is-my-json-valid-2.13.1.tgz (Vulnerable Library)
- har-validator-2.0.6.tgz
- request-2.74.0.tgz
- npm-2.15.12.tgz
- npmi-1.0.1.tgz
Found in HEAD commit: a159a545c18be18ce68bfa58a3456c974f23bea5
Found in base branch: master
Vulnerability Details
Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.
Publish Date: 2018-02-14
URL: WS-2018-0069
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/572
Release Date: 2018-02-14
Fix Resolution: 1.4.1
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.