search

samqws-marketing / box_box-ui-elements

https://github.com/box/box-ui-elements.git
Other
0 stars 0 forks source link

CVE-2020-7660 (High) detected in multiple libraries - autoclosed #96

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago

CVE-2020-7660 - High Severity Vulnerability

Vulnerable Libraries - serialize-javascript-1.4.0.tgz, serialize-javascript-2.1.2.tgz, serialize-javascript-1.9.1.tgz

serialize-javascript-1.4.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy: - react-styleguidist-8.0.6.tgz (Root Library) - copy-webpack-plugin-4.6.0.tgz - :x: **serialize-javascript-1.4.0.tgz** (Vulnerable Library)

serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy: - react-5.3.9.tgz (Root Library) - core-5.3.9.tgz - terser-webpack-plugin-2.3.2.tgz - :x: **serialize-javascript-2.1.2.tgz** (Vulnerable Library)

serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy: - react-5.3.9.tgz (Root Library) - webpack-4.41.2.tgz - terser-webpack-plugin-1.4.1.tgz - :x: **serialize-javascript-1.9.1.tgz** (Vulnerable Library)

Found in HEAD commit: 4fc776e2b95c8b497f6994cb2165365562ae1f82

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (react-styleguidist): 10.0.0

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (@storybook/react): 5.3.10

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (@storybook/react): 5.3.10

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.