CVE-2018-7651 (Medium) detected in ssri-5.0.0.tgz

[mend-bolt-for-github[bot]]

CVE-2018-7651 - Medium Severity Vulnerability

Vulnerable Library - ssri-5.0.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-5.0.0.tgz

Path to dependency file: /Turismo-Torrevieja/package.json

Path to vulnerable library: /tmp/git/Turismo-Torrevieja/node_modules/ssri/package.json

Dependency Hierarchy: - cli-1.6.1.tgz (Root Library) - copy-webpack-plugin-4.3.0.tgz - cacache-10.0.1.tgz - :x: **ssri-5.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5fe809a2e7cf19f24da932e71d58c622ec363c70

Vulnerability Details

index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string.

Publish Date: 2018-03-04

URL: CVE-2018-7651

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7651

Release Date: 2018-03-03

Fix Resolution: 5.2.2

---

Step up your Open Source Security Game with WhiteSource here