search

szb512 / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://www.cypress.io
MIT License
0 stars 0 forks source link

CVE-2017-16129 (Medium) detected in superagent-1.8.5.tgz, superagent-0.21.0.tgz #21

Open mend-bolt-for-github[bot] opened 5 years ago

mend-bolt-for-github[bot] commented 5 years ago

CVE-2017-16129 - Medium Severity Vulnerability

Vulnerable Libraries - superagent-1.8.5.tgz, superagent-0.21.0.tgz

superagent-1.8.5.tgz

elegant & feature rich browser / node HTTP with a fluent API

Library home page: https://registry.npmjs.org/superagent/-/superagent-1.8.5.tgz

Path to dependency file: /cypress/packages/https-proxy/package.json

Path to vulnerable library: /packages/https-proxy/node_modules/superagent/package.json

Dependency Hierarchy: - supertest-1.2.0.tgz (Root Library) - :x: **superagent-1.8.5.tgz** (Vulnerable Library)

superagent-0.21.0.tgz

elegant & feature rich browser / node HTTP with a fluent API

Library home page: https://registry.npmjs.org/superagent/-/superagent-0.21.0.tgz

Path to dependency file: /cypress/packages/server/package.json

Path to vulnerable library: /packages/server/node_modules/superagent/package.json

Dependency Hierarchy: - supertest-0.15.0.tgz (Root Library) - :x: **superagent-0.21.0.tgz** (Vulnerable Library)

Found in HEAD commit: 29dcad339d37f2169e5a640bf8d0d1438f7c18c2

Found in base branch: develop

Vulnerability Details

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Publish Date: 2018-04-26

URL: CVE-2017-16129

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/479/versions

Release Date: 2018-04-26

Fix Resolution (superagent): 3.7.0

Direct dependency fix Resolution (supertest): 3.0.0

Fix Resolution (superagent): 3.7.0

Direct dependency fix Resolution (supertest): 3.0.0

Step up your Open Source Security Game with Mend here

issue-label-bot[bot] commented 5 years ago

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.86. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.