search

loggly / loggly-jslogger

Client-side (browser) logger to use with Loggly v2
79 stars 51 forks source link

WS-2019-0178 (Medium) detected in bower-1.8.0.tgz #70

Closed mend-for-github-com[bot] closed 3 years ago

mend-for-github-com[bot] commented 3 years ago

WS-2019-0178 - Medium Severity Vulnerability

Vulnerable Library - bower-1.8.0.tgz

The browser package manager

Library home page: https://registry.npmjs.org/bower/-/bower-1.8.0.tgz

Path to dependency file: loggly-jslogger/package.json

Path to vulnerable library: loggly-jslogger/node_modules/bower/package.json

Dependency Hierarchy: - :x: **bower-1.8.0.tgz** (Vulnerable Library)

Found in HEAD commit: 3247b5841e5a8923baf2e98a1914570b38eadd97

Found in base branch: master

Vulnerability Details

Bower versions before 1.8.8 does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory which cause Symlink Arbitrary File Overwrite

Publish Date: 2019-01-23

URL: WS-2019-0178

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/bower/bower/releases/tag/v1.8.8

Release Date: 2019-08-11

Fix Resolution: 1.8.8

MartinaGold commented 3 years ago

The vulnerability was fixed in this PR https://github.com/loggly/loggly-jslogger/pull/80/files