search

SharonKoch / Wiki_Demo

Wiki.js | A modern and powerful wiki app built on Node.js
https://js.wiki
GNU Affero General Public License v3.0
1 stars 0 forks source link

file-type-15.0.1.tgz: 1 vulnerabilities (highest severity is: 5.5) - autoclosed #16

Closed mend-for-github-com[bot] closed 5 months ago

mend-for-github-com[bot] commented 11 months ago
Vulnerable Library - file-type-15.0.1.tgz

Detect the file type of a Buffer/Uint8Array/ArrayBuffer

Library home page: https://registry.npmjs.org/file-type/-/file-type-15.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/file-type/package.json

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (file-type version) Remediation Possible**
CVE-2022-36313 Medium 5.5 file-type-15.0.1.tgz Direct 16.5.4

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-36313 ### Vulnerable Library - file-type-15.0.1.tgz

Detect the file type of a Buffer/Uint8Array/ArrayBuffer

Library home page: https://registry.npmjs.org/file-type/-/file-type-15.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/file-type/package.json

Dependency Hierarchy: - :x: **file-type-15.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: b544ab1bdcd701c07884add83f9af162c4523c4e

Found in base branch: main

### Vulnerability Details

An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.

Publish Date: 2022-07-21

URL: CVE-2022-36313

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-07-21

Fix Resolution: 16.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 5 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.