Open mend-for-github-com[bot] opened 3 years ago
evaluate statically-analyzable expressions
Library home page: https://registry.npmjs.org/static-eval/-/static-eval-0.2.4.tgz
Path to dependency file: yugabyte-db/managed/ui/package.json
Path to vulnerable library: yugabyte-db/managed/ui/node_modules/static-module/node_modules/static-eval/package.json
Dependency Hierarchy: - plotly.js-1.54.1.tgz (Root Library) - ndarray-fill-1.0.2.tgz - cwise-1.0.10.tgz - static-module-1.5.0.tgz - :x: **static-eval-0.2.4.tgz** (Vulnerable Library)
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
static-eval before 2.0.2 pass untrusted user input directly to the global function constructor. leads to Arbitrary Code Execution
Publish Date: 2019-02-18
URL: WS-2019-0158
Base Score Metrics not available
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/758
Release Date: 2019-07-15
Fix Resolution: 2.0.2
WS-2019-0158 - Medium Severity Vulnerability
Vulnerable Library - static-eval-0.2.4.tgz
evaluate statically-analyzable expressions
Library home page: https://registry.npmjs.org/static-eval/-/static-eval-0.2.4.tgz
Path to dependency file: yugabyte-db/managed/ui/package.json
Path to vulnerable library: yugabyte-db/managed/ui/node_modules/static-module/node_modules/static-eval/package.json
Dependency Hierarchy: - plotly.js-1.54.1.tgz (Root Library) - ndarray-fill-1.0.2.tgz - cwise-1.0.10.tgz - static-module-1.5.0.tgz - :x: **static-eval-0.2.4.tgz** (Vulnerable Library)
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
Vulnerability Details
static-eval before 2.0.2 pass untrusted user input directly to the global function constructor. leads to Arbitrary Code Execution
Publish Date: 2019-02-18
URL: WS-2019-0158
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/758
Release Date: 2019-07-15
Fix Resolution: 2.0.2