* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2018-20822 - Medium Severity Vulnerability
Vulnerable Library - node-sassv4.13.1
:rainbow: Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: ba323c7c72be0fab814458350183f0bcdaad1ba0
Library Source Files (66)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
- /xcovfe/node_modules/node-sass/src/libsass/src/expand.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/expand.cpp - /xcovfe/node_modules/node-sass/src/sass_types/factory.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/operators.cpp - /xcovfe/node_modules/node-sass/src/sass_types/boolean.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/util.hpp - /xcovfe/node_modules/node-sass/src/sass_types/value.h - /xcovfe/node_modules/node-sass/src/libsass/src/emitter.hpp - /xcovfe/node_modules/node-sass/src/callback_bridge.h - /xcovfe/node_modules/node-sass/src/libsass/src/file.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/sass.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/operation.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/operators.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/constants.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/error_handling.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/parser.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/constants.cpp - /xcovfe/node_modules/node-sass/src/sass_types/list.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/cssize.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/functions.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/util.cpp - /xcovfe/node_modules/node-sass/src/custom_function_bridge.cpp - /xcovfe/node_modules/node-sass/src/custom_importer_bridge.h - /xcovfe/node_modules/node-sass/src/libsass/src/bind.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/eval.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/inspect.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/backtrace.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/extend.cpp - /xcovfe/node_modules/node-sass/src/sass_context_wrapper.h - /xcovfe/node_modules/node-sass/src/sass_types/sass_value_wrapper.h - /xcovfe/node_modules/node-sass/src/libsass/src/error_handling.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/parser.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/debugger.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/emitter.cpp - /xcovfe/node_modules/node-sass/src/sass_types/number.cpp - /xcovfe/node_modules/node-sass/src/sass_types/color.h - /xcovfe/node_modules/node-sass/src/libsass/src/sass_values.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/ast.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/output.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/check_nesting.cpp - /xcovfe/node_modules/node-sass/src/sass_types/null.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/functions.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/cssize.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/prelexer.cpp - /xcovfe/node_modules/node-sass/src/custom_importer_bridge.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/ast.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/to_c.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/to_value.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/inspect.hpp - /xcovfe/node_modules/node-sass/src/sass_types/color.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/values.cpp - /xcovfe/node_modules/node-sass/src/sass_context_wrapper.cpp - /xcovfe/node_modules/node-sass/src/sass_types/list.h - /xcovfe/node_modules/node-sass/src/libsass/src/check_nesting.hpp - /xcovfe/node_modules/node-sass/src/sass_types/map.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/to_value.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/context.cpp - /xcovfe/node_modules/node-sass/src/binding.cpp - /xcovfe/node_modules/node-sass/src/sass_types/string.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/sass_context.cpp - /xcovfe/node_modules/node-sass/src/libsass/src/prelexer.hpp - /xcovfe/node_modules/node-sass/src/libsass/src/context.hpp - /xcovfe/node_modules/node-sass/src/sass_types/boolean.h - /xcovfe/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20822
CVSS 3 Score Details (6.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0;node-sass - 4.13.1
Step up your Open Source Security Game with WhiteSource here