WS-2018-0225 (Medium) detected in node.extend-1.1.6.tgz - autoclosed

[mend-bolt-for-github[bot]]

WS-2018-0225 - Medium Severity Vulnerability

Vulnerable Library - node.extend-1.1.6.tgz

A port of jQuery.extend that actually works on node.js

Library home page: https://registry.npmjs.org/node.extend/-/node.extend-1.1.6.tgz

Path to dependency file: laravel-elixir-clean-unofficial/package.json

Path to vulnerable library: laravel-elixir-clean-unofficial/node_modules/node.extend

Dependency Hierarchy: - laravel-elixir-6.0.0-15.tgz (Root Library) - gulp-notify-2.2.0.tgz - :x: **node.extend-1.1.6.tgz** (Vulnerable Library)

Found in HEAD commit: 6137d1b3e8146d3ba7b985492fc6b78cb1706fa2

Found in base branch: master

Vulnerability Details

Node.extend, versions v0.0.2--v1.1.6 and version v2.0.0, have a prototype pollution vulnerability which allows an attacker to inject properties on Object.prototype

Publish Date: 2018-10-30

URL: WS-2018-0225

CVSS 2 Score Details (6.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/430831

Release Date: 2018-12-13

Fix Resolution: 1.1.7,2.0.1

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #125

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #125

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #125

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #125