kapseliboi / crowdfunding-frontend

A battle proven crowdfunding front end with Stripe, PayPal and PostFinance integration. And lots of features around it.
Other
0 stars 0 forks source link

CVE-2018-1107 (Medium) detected in is-my-json-valid-2.16.1.tgz #87

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2018-1107 - Medium Severity Vulnerability

Vulnerable Library - is-my-json-valid-2.16.1.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid/package.json

Dependency Hierarchy: - standard-9.0.2.tgz (Root Library) - eslint-3.18.0.tgz - :x: **is-my-json-valid-2.16.1.tgz** (Vulnerable Library)

Found in HEAD commit: 3c5fb7d3f2932ae2023353faafd51bf99b953a5f

Found in base branch: master

Vulnerability Details

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

Publish Date: 2021-03-30

URL: CVE-2018-1107

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4hpf-3wq7-5rpr

Release Date: 2021-03-30

Fix Resolution (is-my-json-valid): 2.17.2

Direct dependency fix Resolution (standard): 10.0.0


Step up your Open Source Security Game with Mend here