Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
WS-2019-0338 - Medium Severity Vulnerability
Vulnerable Library - bin-links-1.1.3.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.3.tgz
Path to dependency file: /tmp/ws-scm/sync-moltin-to-shipengine/package.json
Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shipengine/node_modules/npm/node_modules/bin-links/package.json
Dependency Hierarchy: - semantic-release-15.13.31.tgz (Root Library) - npm-5.3.4.tgz - npm-6.13.0.tgz - :x: **bin-links-1.1.3.tgz** (Vulnerable Library)
Found in HEAD commit: 1a271b872793781f011b09e4b7b672a9e80affe2
Vulnerability Details
Symlink reference outside of node_modules vulnerability found in bin-links before 1.1.5. It is possible to create symlinks to files outside of thenode_modules folder through the bin field. This may allow attackers to access unauthorized files.
Publish Date: 2019-12-17
URL: WS-2019-0338
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://github.com/npm/bin-links/commit/b3cfd2ec3a6c398afafaeddf4d4dac0094a36839
Release Date: 2019-12-17
Fix Resolution: bin-links - 1.1.5
Step up your Open Source Security Game with WhiteSource here