search

turkdevops / update-electron-app

🌲 A drop-in module that adds autoUpdating capabilities to Electron apps
MIT License
1 stars 0 forks source link

WS-2020-0180 (High) detected in npm-user-validate-1.0.0.tgz - autoclosed #105

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

WS-2020-0180 - High Severity Vulnerability

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm-user-validate/package.json

Dependency Hierarchy: - semantic-release-npm-2.0.0.tgz (Root Library) - npm-6.14.8.tgz - :x: **npm-user-validate-1.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: dc312d451fedb0d61dfa85e6ac379940e1a91395

Found in base branch: master

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution: 1.0.1

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.