helmet-2.3.0.tgz: 2 vulnerabilities (highest severity is: 6.1) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - helmet-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/helmet-csp/package.json

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
WS-2019-0289	Medium	6.1	helmet-csp-1.2.2.tgz	Transitive	3.21.0	✅
CVE-2017-16137	Medium	5.3	debug-2.2.0.tgz	Transitive	3.8.2	✅

Details

WS-2019-0289

### Vulnerable Library - helmet-csp-1.2.2.tgz

Content Security Policy middleware.

Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-1.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/helmet-csp/package.json

Dependency Hierarchy: - helmet-2.3.0.tgz (Root Library) - :x: **helmet-csp-1.2.2.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.

Publish Date: 2019-11-18

URL: WS-2019-0289

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1176

Release Date: 2019-11-18

Fix Resolution (helmet-csp): 2.9.1

Direct dependency fix Resolution (helmet): 3.21.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-16137

### Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/connect/node_modules/debug/package.json,/node_modules/npm/node_modules/node-gyp/node_modules/path-array/node_modules/array-index/node_modules/debug/package.json,/node_modules/nyc/node_modules/debug/package.json

Dependency Hierarchy: - helmet-2.3.0.tgz (Root Library) - connect-3.4.1.tgz - :x: **debug-2.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: 33cd7775cefbf105dc51f3d5f5d136e529948d6f

Found in base branch: main

### Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (helmet): 3.8.2

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.