CVE-2017-1000048 (High) detected in qs-6.2.3.tgz - autoclosed

[mend-bolt-for-github[bot]]

CVE-2017-1000048 - High Severity Vulnerability

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /Ceres/package.json

Path to vulnerable library: /tmp/git/Ceres/node_modules/loggly/node_modules/qs/package.json

Dependency Hierarchy: - karma-2.0.2.tgz (Root Library) - log4js-2.7.0.tgz - loggly-1.1.1.tgz - request-2.75.0.tgz - :x: **qs-6.2.3.tgz** (Vulnerable Library)

Found in HEAD commit: b31d728670f7b1cea140b9a346bf71d1a9771fb2

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: https://github.com/ljharb/qs/commit/c709f6e3ef2ed324f17c43369e1d45ad351e86e6

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.