search

shrivastava-prateek / angularjs-es6-webpack

If you want to try Webpack and ES6 with AngularJS, this project will give you minimum config required for setup
0 stars 1 forks source link

CVE-2016-10539 (High) detected in negotiator-0.5.3.tgz, negotiator-0.4.9.tgz - autoclosed #24

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 4 years ago

CVE-2016-10539 - High Severity Vulnerability

Vulnerable Libraries - negotiator-0.5.3.tgz, negotiator-0.4.9.tgz

negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /tmp/ws-scm/angularjs-es6-webpack/package.json

Path to vulnerable library: /tmp/ws-scm/angularjs-es6-webpack/node_modules/serve-index/node_modules/negotiator/package.json

Dependency Hierarchy: - browser-sync-2.12.12.tgz (Root Library) - serve-index-1.7.3.tgz - accepts-1.2.13.tgz - :x: **negotiator-0.5.3.tgz** (Vulnerable Library)

negotiator-0.4.9.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.4.9.tgz

Path to dependency file: /tmp/ws-scm/angularjs-es6-webpack/package.json

Path to vulnerable library: /tmp/ws-scm/angularjs-es6-webpack/node_modules/negotiator/package.json

Dependency Hierarchy: - express-4.9.8.tgz (Root Library) - accepts-1.1.4.tgz - :x: **negotiator-0.4.9.tgz** (Vulnerable Library)

Found in HEAD commit: 5a7519c9340d9d27cd18c80cc9093d3b1193db9d

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1 Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.