Open mend-bolt-for-github[bot] opened 3 years ago
a JSON logging library for node.js services
Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bunyan/package.json
Dependency Hierarchy: - core-0.7.2.tgz (Root Library) - :x: **bunyan-1.8.12.tgz** (Vulnerable Library)
Found in HEAD commit: bd51b1f8b9a3c21e299c3eabc04e1478a88c2a66
Found in base branch: main
A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.
Publish Date: 2020-06-27
URL: WS-2020-0217
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution: bunyan - 1.8.13,2.0.3
Step up your Open Source Security Game with Mend here
WS-2020-0217 - Medium Severity Vulnerability
a JSON logging library for node.js services
Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bunyan/package.json
Dependency Hierarchy: - core-0.7.2.tgz (Root Library) - :x: **bunyan-1.8.12.tgz** (Vulnerable Library)
Found in HEAD commit: bd51b1f8b9a3c21e299c3eabc04e1478a88c2a66
Found in base branch: main
A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.
Publish Date: 2020-06-27
URL: WS-2020-0217
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution: bunyan - 1.8.13,2.0.3
Step up your Open Source Security Game with Mend here