search

finos / plexus-interop

Plexus Interop open source project hosted by the Fintech Open Source Foundation
https://plexus.finos.org
Apache License 2.0
252 stars 55 forks source link

CVE-2018-3739 (High) detected in https-proxy-agent-1.0.0.tgz - autoclosed #352

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago

CVE-2018-3739 - High Severity Vulnerability

Vulnerable Library - https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Dependency Hierarchy: - protractor-5.1.2.tgz (Root Library) - saucelabs-1.3.0.tgz - :x: **https-proxy-agent-1.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 8d1e24260d1985acc52e5d1710bcc43fcf3848ca

Found in base branch: master

Vulnerability Details

https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

Publish Date: 2018-06-07

URL: CVE-2018-3739

CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739

Release Date: 2018-06-07

Fix Resolution (https-proxy-agent): 2.2.0

Direct dependency fix Resolution (protractor): 5.3.2

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.