Closed mend-for-github-com[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Vulnerable Library - zaproxy-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Vulnerabilities
Details
CVE-2018-1000620
### Vulnerable Library - cryptiles-0.2.2.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-0.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/cryptiles/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - hawk-1.0.0.tgz - :x: **cryptiles-0.2.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsEran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2019-10744
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2018-3728
### Vulnerable Library - hoek-0.9.1.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/hoek/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - hawk-1.0.0.tgz - :x: **hoek-0.9.1.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability Detailshoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
WS-2014-0005
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsDenial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005
Release Date: 2014-07-31
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2016-2515
### Vulnerable Library - hawk-1.0.0.tgzHTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/hawk/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **hawk-1.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsHawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.
Publish Date: 2016-04-13
URL: CVE-2016-2515
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515
Release Date: 2016-04-13
Fix Resolution (hawk): 3.1.3
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-1000048
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability Detailsthe web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-16138
### Vulnerable Library - mime-1.2.11.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/mime/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsThe mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2014-10064
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064
Release Date: 2018-05-31
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-8203
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-23337
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2019-1010266
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability Detailslodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2020-09-30
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2018-3721
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability Detailslodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2017-16026
### Vulnerable Library - request-2.36.0.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.36.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/request/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **request-2.36.0.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsRequest is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Publish Date: 2018-06-04
URL: CVE-2017-16026
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026
Release Date: 2018-06-04
Fix Resolution (request): 2.68.0
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
CVE-2018-16487
### Vulnerable Library - lodash-2.4.2.tgzA utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - :x: **lodash-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsA prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (zaproxy): 1.0.0-rc.1
In order to enable automatic remediation, please create workflow rules
CVE-2014-7191
### Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **qs-0.6.6.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability DetailsThe qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution (qs): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
WS-2017-0266
### Vulnerable Library - http-signature-0.10.1.tgzReference implementation of Joyent's HTTP Signature scheme.
Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/zaproxy/node_modules/http-signature/package.json
Dependency Hierarchy: - zaproxy-0.2.0.tgz (Root Library) - request-2.36.0.tgz - :x: **http-signature-0.10.1.tgz** (Vulnerable Library)
Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f
Found in base branch: main
### Vulnerability Detailshttp-signature before version 1.0.0 are vulnerable to timing attack, which may lead to information disclosure.
Publish Date: 2015-01-22
URL: WS-2017-0266
### CVSS 3 Score Details (3.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/joyent/node-http-signature/pull/36
Release Date: 2015-01-22
Fix Resolution (http-signature): 1.0.0
Direct dependency fix Resolution (zaproxy): 0.3.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules