Closed mend-for-github-com[bot] closed 2 years ago
string contains methods that aren't included in the vanilla JavaScript string such as escaping html, decoding html entities, stripping tags, etc.
Library home page: https://registry.npmjs.org/string/-/string-3.3.3.tgz
Dependency Hierarchy: - jsdoc-git+https://github.com/BrandonOCasey/jsdoc.git#da41874b82ee87a28b4f615cf5306c6f84e53d57.tgz (Root Library) - markdown-it-named-headers-0.0.4.tgz - :x: **string-3.3.3.tgz** (Vulnerable Library)
Found in HEAD commit: fbdf8372a96f7f26965d33fedec5089038e609dc
Found in base branch: master
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Publish Date: 2018-06-07
URL: CVE-2017-16116
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16116
Release Date: 2018-06-07
Fix Resolution: org.webjars.npm:underscore.string - 3.2.1;org.webjars.npm:string - 3.3.1;tslint - 4.5.1;MIDIator.WebClient - 1.0.105;EntityFramework.LookupTables - 1.1.14.119;underscore.string - 3.3.5
CVE-2017-16116 - High Severity Vulnerability
Vulnerable Library - string-3.3.3.tgz
string contains methods that aren't included in the vanilla JavaScript string such as escaping html, decoding html entities, stripping tags, etc.
Library home page: https://registry.npmjs.org/string/-/string-3.3.3.tgz
Dependency Hierarchy: - jsdoc-git+https://github.com/BrandonOCasey/jsdoc.git#da41874b82ee87a28b4f615cf5306c6f84e53d57.tgz (Root Library) - markdown-it-named-headers-0.0.4.tgz - :x: **string-3.3.3.tgz** (Vulnerable Library)
Found in HEAD commit: fbdf8372a96f7f26965d33fedec5089038e609dc
Found in base branch: master
Vulnerability Details
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Publish Date: 2018-06-07
URL: CVE-2017-16116
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16116
Release Date: 2018-06-07
Fix Resolution: org.webjars.npm:underscore.string - 3.2.1;org.webjars.npm:string - 3.3.1;tslint - 4.5.1;MIDIator.WebClient - 1.0.105;EntityFramework.LookupTables - 1.1.14.119;underscore.string - 3.3.5