billmcchesney1 / react-bootstrap

Bootstrap components built with React
https://react-bootstrap.github.io/
MIT License
0 stars 0 forks source link

CVE-2023-34238 (Medium) detected in gatsby-2.30.0.tgz - autoclosed #171

Closed mend-for-github-com[bot] closed 9 months ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-34238 - Medium Severity Vulnerability

Vulnerable Library - gatsby-2.30.0.tgz

Path to dependency file: /www/package.json

Path to vulnerable library: /www/node_modules/gatsby/package.json

Dependency Hierarchy: - :x: **gatsby-2.30.0.tgz** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.

Publish Date: 2023-06-08

URL: CVE-2023-34238

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc

Release Date: 2023-06-08

Fix Resolution: gatsby - 4.25.7,5.9.1

mend-for-github-com[bot] commented 9 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.