mend-for-github-com[bot]
commented
3 years ago :information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #14
Closed mend-for-github-com[bot] closed 3 years ago
mend-for-github-com[bot]
commented
3 years ago :information_source: This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #14
CVE-2019-10746 - High Severity Vulnerability
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: doccano/app/server/static/package.json
Path to vulnerable library: doccano/app/server/static/node_modules/mixin-deep/package.json
Dependency Hierarchy: - webpack-4.12.0.tgz (Root Library) - micromatch-3.1.10.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - :x: **mixin-deep-1.3.1.tgz** (Vulnerable Library)
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1