search

kimxogus / react-native-version-check

A version checker for react-native applications
MIT License
722 stars 179 forks source link

WS-2018-0209 (Medium) detected in morgan-1.6.1.tgz #79

Closed mend-bolt-for-github[bot] closed 5 years ago

mend-bolt-for-github[bot] commented 5 years ago

WS-2018-0209 - Medium Severity Vulnerability

Vulnerable Library - morgan-1.6.1.tgz

HTTP request logger middleware for node.js

Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz

Path to dependency file: /react-native-version-check/packages/react-native-version-check-expo/package.json

Path to vulnerable library: /tmp/git/react-native-version-check/packages/react-native-version-check-expo/node_modules/morgan/package.json,/tmp/git/react-native-version-check/packages/react-native-version-check-expo/node_modules/morgan/package.json

Dependency Hierarchy: - react-native-0.48.4.tgz (Root Library) - connect-2.30.2.tgz - :x: **morgan-1.6.1.tgz** (Vulnerable Library)

Found in HEAD commit: d52a5161ca4eeb5387c6b83aba1683450896bcd8

Vulnerability Details

Morgan before 1.9.1 is vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Publish Date: 2018-11-25

URL: WS-2018-0209

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/735

Release Date: 2019-04-08

Fix Resolution: 1.9.1

Step up your Open Source Security Game with WhiteSource here