Closed mend-for-github-com[bot] closed 3 years ago
The browser package manager
Library home page: https://registry.npmjs.org/bower/-/bower-1.8.0.tgz
Path to dependency file: loggly-jslogger/package.json
Path to vulnerable library: loggly-jslogger/node_modules/bower/package.json
Dependency Hierarchy: - :x: **bower-1.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: 3247b5841e5a8923baf2e98a1914570b38eadd97
Found in base branch: master
Bower versions before 1.8.8 does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory which cause Symlink Arbitrary File Overwrite
Publish Date: 2019-01-23
URL: WS-2019-0178
Base Score Metrics not available
Type: Upgrade version
Origin: https://github.com/bower/bower/releases/tag/v1.8.8
Release Date: 2019-08-11
Fix Resolution: 1.8.8
The vulnerability was fixed in this PR https://github.com/loggly/loggly-jslogger/pull/80/files
WS-2019-0178 - Medium Severity Vulnerability
Vulnerable Library - bower-1.8.0.tgz
The browser package manager
Library home page: https://registry.npmjs.org/bower/-/bower-1.8.0.tgz
Path to dependency file: loggly-jslogger/package.json
Path to vulnerable library: loggly-jslogger/node_modules/bower/package.json
Dependency Hierarchy: - :x: **bower-1.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: 3247b5841e5a8923baf2e98a1914570b38eadd97
Found in base branch: master
Vulnerability Details
Bower versions before 1.8.8 does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory which cause Symlink Arbitrary File Overwrite
Publish Date: 2019-01-23
URL: WS-2019-0178
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://github.com/bower/bower/releases/tag/v1.8.8
Release Date: 2019-08-11
Fix Resolution: 1.8.8