Closed dev-mend-for-github-com[bot] closed 1 year ago
dev-mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
dev-mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
dev-mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Serves a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-1.16.5.tgz
Found in HEAD commit: 4bd52fdb88062dc9142fa889e1ac6cb0141df525
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
WS-2018-0107
### Vulnerable Library - open-0.0.5.tgzopen a file or url in the user's preferred application
Library home page: https://registry.npmjs.org/open/-/open-0.0.5.tgz
Dependency Hierarchy: - webpack-dev-server-1.16.5.tgz (Root Library) - :x: **open-0.0.5.tgz** (Vulnerable Library)
Found in HEAD commit: 4bd52fdb88062dc9142fa889e1ac6cb0141df525
Found in base branch: main
### Vulnerability DetailsAll versions of open are vulnerable to command injection when unsanitized user input is passed in.
Publish Date: 2018-05-16
URL: WS-2018-0107
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0107
Release Date: 2018-01-27
Fix Resolution: open - 6.0.0
CVE-2018-14732
### Vulnerable Library - webpack-dev-server-1.16.5.tgzServes a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-1.16.5.tgz
Dependency Hierarchy: - :x: **webpack-dev-server-1.16.5.tgz** (Vulnerable Library)
Found in HEAD commit: 4bd52fdb88062dc9142fa889e1ac6cb0141df525
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.
Publish Date: 2018-09-21
URL: CVE-2018-14732
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14732
Release Date: 2018-09-21
Fix Resolution: 3.1.6