mend-bolt-for-github[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.1.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/karma/package.json
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Vulnerabilities
Details
CVE-2021-31597
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - socket.io-client-2.3.0.tgz - engine.io-client-3.4.4.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThe xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
### CVSS 3 Score Details (9.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28502
### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - socket.io-client-2.3.0.tgz - engine.io-client-3.4.4.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2020-0443
### Vulnerable Library - socket.io-2.3.0.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/socket.io/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **socket.io-2.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsIn socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-36048
### Vulnerable Library - engine.io-3.4.2.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.4.2.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/engine.io/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - :x: **engine.io-3.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsEngine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-27292
### Vulnerable Library - ua-parser-js-0.7.21.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability Detailsua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/faisalman/ua-parser-js/releases/tag/0.7.24
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-36049
### Vulnerable Library - socket.io-parser-3.3.1.tgzsocket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/socket.io-parser/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - socket.io-client-2.3.0.tgz - :x: **socket.io-parser-3.3.1.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability Detailssocket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7733
### Vulnerable Library - ua-parser-js-0.7.21.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThe package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (karma): 5.2.3
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7793
### Vulnerable Library - ua-parser-js-0.7.21.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ua-parser-js/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThe package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0155
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/follow-redirects/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability Detailsfollow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0437
### Vulnerable Library - karma-5.1.1.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.1.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/karma/package.json
Dependency Hierarchy: - :x: **karma-5.1.1.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsCross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23495
### Vulnerable Library - karma-5.1.1.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.1.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/karma/package.json
Dependency Hierarchy: - :x: **karma-5.1.1.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThe package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Publish Date: 2022-02-25
URL: CVE-2021-23495
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495
Release Date: 2022-02-25
Fix Resolution: 6.3.16
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0536
### Vulnerable Library - follow-redirects-1.13.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/follow-redirects/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - http-proxy-1.18.1.tgz - :x: **follow-redirects-1.13.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-21704
### Vulnerable Library - log4js-6.3.0.tgzPort of Log4js to work with node.
Library home page: https://registry.npmjs.org/log4js/-/log4js-6.3.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/log4js/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **log4js-6.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability Detailslog4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Publish Date: 2022-01-19
URL: CVE-2022-21704
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
Release Date: 2022-01-19
Fix Resolution (log4js): 6.4.1
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32640
### Vulnerable Libraries - ws-7.4.1.tgz, ws-6.1.4.tgz### ws-7.4.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ws/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - engine.io-3.4.2.tgz - :x: **ws-7.4.1.tgz** (Vulnerable Library) ### ws-6.1.4.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.1.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ws/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - socket.io-2.3.0.tgz - socket.io-client-2.3.0.tgz - engine.io-client-3.4.4.tgz - :x: **ws-6.1.4.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability Detailsws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (karma): 5.2.0
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28481
### Vulnerable Library - socket.io-2.3.0.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/socket.io/package.json
Dependency Hierarchy: - karma-5.1.1.tgz (Root Library) - :x: **socket.io-2.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
### Vulnerability DetailsThe package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.2.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)