Tim-Demo / dvna-js

MIT License
0 stars 0 forks source link

CVE-2017-1001002 (Critical) detected in math-3.10.1.min.js, math-3.10.1.js #8

Open mend-for-github-com[bot] opened 3 years ago

mend-for-github-com[bot] commented 3 years ago

CVE-2017-1001002 - Critical Severity Vulnerability

Vulnerable Libraries - math-3.10.1.min.js, math-3.10.1.js

math-3.10.1.min.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.min.js

Path to dependency file: /node_modules/mathjs/test/test.min.html

Path to vulnerable library: /node_modules/mathjs/test/../dist/math.min.js

Dependency Hierarchy: - :x: **math-3.10.1.min.js** (Vulnerable Library)

math-3.10.1.js

Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser and offers an integrated solution to work with numbers, big numbers, complex numbers, units, and matrices.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mathjs/3.10.1/math.js

Path to dependency file: /node_modules/mathjs/examples/browser/old_browsers.html

Path to vulnerable library: /node_modules/mathjs/examples/browser/../../dist/math.js,/node_modules/mathjs/test/../dist/math.js

Dependency Hierarchy: - :x: **math-3.10.1.js** (Vulnerable Library)

Found in HEAD commit: 2cbae7a110c1f8cf54415e50a3d3732a81b4c1c5

Found in base branch: master

Vulnerability Details

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Publish Date: 2017-11-27

URL: CVE-2017-1001002

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1001002

Release Date: 2022-10-03

Fix Resolution: 3.17.0

mend-for-github-com[bot] commented 7 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 7 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.