Open mend-for-github-com[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2017-1000048 - High Severity Vulnerability
Vulnerable Libraries - qs-2.3.3.tgz, qs-4.0.0.tgz, qs-2.4.2.tgz
qs-2.3.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-2.3.3.tgz
Path to dependency file: /samples/server/petstore/nodejs-google-cloud-functions/package.json
Path to vulnerable library: /samples/server/petstore/nodejs-google-cloud-functions/node_modules/superagent/node_modules/qs/package.json,/samples/server/petstore/nodejs/node_modules/superagent/node_modules/qs/package.json
Dependency Hierarchy: - swagger-tools-0.10.1.tgz (Root Library) - superagent-1.8.5.tgz - :x: **qs-2.3.3.tgz** (Vulnerable Library)
qs-4.0.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-4.0.0.tgz
Path to dependency file: /samples/server/petstore/nodejs/package.json
Path to vulnerable library: /samples/server/petstore/nodejs/node_modules/swagger-tools/node_modules/qs/package.json,/samples/server/petstore/nodejs-google-cloud-functions/node_modules/qs/package.json,/samples/dynamic-html/node_modules/qs/package.json
Dependency Hierarchy: - express-3.21.2.tgz (Root Library) - connect-2.30.2.tgz - :x: **qs-4.0.0.tgz** (Vulnerable Library)
qs-2.4.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-2.4.2.tgz
Path to dependency file: /samples/server/petstore/nodejs-google-cloud-functions/package.json
Path to vulnerable library: /samples/server/petstore/nodejs-google-cloud-functions/node_modules/body-parser/node_modules/qs/package.json,/samples/server/petstore/nodejs/node_modules/swagger-tools/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy: - swagger-tools-0.10.1.tgz (Root Library) - body-parser-1.12.4.tgz - :x: **qs-2.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed
Found in base branches: 3.0.0, master
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (swagger-tools): 0.10.2
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (express): 4.0.0
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (swagger-tools): 0.10.2