search

IBMStreams / streamsx.waterConservation.starterKit

Starter kit for smart and connected sprinkler system using Apache Edgent, Streaming Analytics and Insights for Weather
Apache License 2.0
7 stars 10 forks source link

Vulnerability in dependency "webpack-dev-server" found in nodejs/package.json #21

Closed schubon closed 5 years ago

schubon commented 5 years ago

Remediation

Upgrade webpack-dev-server to version 3.1.11 or later. For example:

"dependencies": { "webpack-dev-server": ">=3.1.11" }

or…

"devDependencies": { "webpack-dev-server": ">=3.1.11" }

Always verify the validity and compatibility of suggestions with your codebase. Details CVE-2018-14732 More information low severity Vulnerable versions: < 3.1.11 Patched version: 3.1.11

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.11. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

natashadsilva commented 5 years ago

fixed