search

autoai-org / AID

One-Stop System for Machine Learning.
https://aid.autoai.org/
Apache License 2.0
320 stars 33 forks source link

WS-2020-0042 (Medium) detected in acorn-5.7.3.tgz, acorn-6.4.0.tgz #783

Closed mend-bolt-for-github[bot] closed 4 years ago

mend-bolt-for-github[bot] commented 4 years ago

WS-2020-0042 - Medium Severity Vulnerability

Vulnerable Libraries - acorn-5.7.3.tgz, acorn-6.4.0.tgz

acorn-5.7.3.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz

Path to dependency file: /tmp/ws-scm/AID/components/dashboard/package.json

Path to vulnerable library: /tmp/ws-scm/AID/components/dashboard/node_modules/jsdom/node_modules/acorn/package.json

Dependency Hierarchy: - cli-plugin-unit-jest-4.2.3.tgz (Root Library) - jest-24.9.0.tgz - jest-cli-24.9.0.tgz - jest-config-24.9.0.tgz - jest-environment-jsdom-24.9.0.tgz - jsdom-11.12.0.tgz - :x: **acorn-5.7.3.tgz** (Vulnerable Library)

acorn-6.4.0.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz

Path to dependency file: /tmp/ws-scm/AID/components/dashboard/package.json

Path to vulnerable library: /tmp/ws-scm/AID/components/dashboard/node_modules/acorn/package.json

Dependency Hierarchy: - cli-plugin-babel-4.2.3.tgz (Root Library) - webpack-4.42.0.tgz - :x: **acorn-6.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: bb75fb3fec700537a57fec11c71829ab95b68b8b

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-08

URL: WS-2020-0042

CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Step up your Open Source Security Game with WhiteSource here

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.