Open mend-bolt-for-github[bot] opened 3 years ago
A port of jQuery.extend that actually works on node.js
Library home page: https://registry.npmjs.org/node.extend/-/node.extend-1.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node.extend
Dependency Hierarchy: - laravel-elixir-6.0.0-15.tgz (Root Library) - gulp-notify-2.2.0.tgz - :x: **node.extend-1.1.6.tgz** (Vulnerable Library)
Found in base branch: master
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16491
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-02-01
Fix Resolution (node.extend): 1.1.7
Direct dependency fix Resolution (laravel-elixir): 6.0.0-16
Step up your Open Source Security Game with Mend here
CVE-2018-16491 - Critical Severity Vulnerability
A port of jQuery.extend that actually works on node.js
Library home page: https://registry.npmjs.org/node.extend/-/node.extend-1.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node.extend
Dependency Hierarchy: - laravel-elixir-6.0.0-15.tgz (Root Library) - gulp-notify-2.2.0.tgz - :x: **node.extend-1.1.6.tgz** (Vulnerable Library)
Found in base branch: master
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16491
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-02-01
Fix Resolution (node.extend): 1.1.7
Direct dependency fix Resolution (laravel-elixir): 6.0.0-16
Step up your Open Source Security Game with Mend here