search

TreyM-WSS / whitesource-demo-1

0 stars 0 forks source link

CVE-2020-7768 (High) detected in grpc-js-0.6.18.tgz - autoclosed #76

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago

CVE-2020-7768 - High Severity Vulnerability

Vulnerable Library - grpc-js-0.6.18.tgz

gRPC Library for Node - pure JS implementation

Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.6.18.tgz

Dependency Hierarchy: - firebase-tools-7.13.1.tgz (Root Library) - google-gax-1.12.0.tgz - :x: **grpc-js-0.6.18.tgz** (Vulnerable Library)

Found in HEAD commit: 45efe734ed23cf7e9393beef67fd9910f070b3b9

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution: grpc 1.24.4, grpc-js 1.1.8

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.