scm-automation-project / npm-6-with-lock-file-project

0 stars 0 forks source link

apollo-server-express-2.8.1.tgz: 1 vulnerabilities (highest severity is: 5.4) #61

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - apollo-server-express-2.8.1.tgz

Production-ready Node.js GraphQL server for Express and Connect

Library home page: https://registry.npmjs.org/apollo-server-express/-/apollo-server-express-2.8.1.tgz

Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (apollo-server-express version) Remediation Possible**
WS-2020-0111 Medium 5.4 apollo-server-express-2.8.1.tgz Direct 2.14.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2020-0111 ### Vulnerable Library - apollo-server-express-2.8.1.tgz

Production-ready Node.js GraphQL server for Express and Connect

Library home page: https://registry.npmjs.org/apollo-server-express/-/apollo-server-express-2.8.1.tgz

Dependency Hierarchy: - :x: **apollo-server-express-2.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2

Found in base branch: main

### Vulnerability Details

Apollo-server-express before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.

Publish Date: 2020-06-05

URL: WS-2020-0111

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w42g-7vfc-xf37

Release Date: 2020-06-05

Fix Resolution: 2.14.2