Open dev-mend-for-github-com[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
Vulnerable Library - express-4.14.1.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/qs/package.json
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Vulnerabilities
Details
CVE-2017-1000048
### Vulnerable Library - qs-6.2.0.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/qs/package.json
Dependency Hierarchy: - express-4.14.1.tgz (Root Library) - :x: **qs-6.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability Detailsthe web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution (qs): 6.2.3
Direct dependency fix Resolution (express): 4.15.0
:rescue_worker_helmet: Automatic Remediation is available for this issueWS-2017-0247
### Vulnerable Library - ms-0.7.2.tgzTiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Path to dependency file: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/package.json
Path to vulnerable library: /tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/socket.io-adapter/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/send/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/engine.io/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/socket.io/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/socket.io-client/node_modules/ms/package.json,/tmp/ws-scm/SAST-coldfusion-project3/assets/reveal.js/node_modules/engine.io-client/node_modules/ms/package.json
Dependency Hierarchy: - express-4.14.1.tgz (Root Library) - send-0.14.2.tgz - :x: **ms-0.7.2.tgz** (Vulnerable Library)
Found in HEAD commit: c2eefd95e48e1db14889cdc88ab5b97aa52b5376
Found in base branch: main
### Vulnerability DetailsAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
### CVSS 2 Score Details (3.4)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://github.com/vercel/ms/pull/89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (express): 4.15.3
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.