kleros / vea

Vea bridge
https://vea.ninja
MIT License
10 stars 6 forks source link

@kleros/vea-validator-cli-0.0.0.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed #189

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - @kleros/vea-validator-cli-0.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/request-npm-2.88.2-f4a57c72c4-4e112c087f.zip

Found in HEAD commit: d95e8377b4d539d8d6c5359b9fff077064706cb5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (@kleros/vea-validator-cli version) Remediation Available
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-28155 ### Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/request-npm-2.88.2-f4a57c72c4-4e112c087f.zip

Dependency Hierarchy: - @kleros/vea-validator-cli-0.0.0.tgz (Root Library) - web3-1.10.0.tgz - web3-bzz-1.10.0.tgz - swarm-js-0.1.42.tgz - eth-lib-0.1.29.tgz - servify-0.1.12.tgz - :x: **request-2.88.2.tgz** (Vulnerable Library)

Found in HEAD commit: d95e8377b4d539d8d6c5359b9fff077064706cb5

Found in base branch: dev

### Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.