Closed mend-for-github-com[bot] closed 3 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
WS-2018-0075 - Medium Severity Vulnerability
Vulnerable Library - concat-stream-1.5.0.tgz
writable stream that concatenates strings or binary data and calls a callback with the result
Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz
Path to dependency file: /tmp/ws-scm/bootstrap-timepicker/package.json
Path to vulnerable library: /tmp/ws-scm/bootstrap-timepicker/node_modules/concat-stream/package.json
Dependency Hierarchy: - grunt-contrib-jasmine-0.4.2.tgz (Root Library) - grunt-lib-phantomjs-0.3.1.tgz - phantomjs-1.9.20.tgz - extract-zip-1.5.0.tgz - :x: **concat-stream-1.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: c92f0918f68b35842a2bf5ae212e5d75e70546e5
Vulnerability Details
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write() Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/597
Release Date: 2018-01-27
Fix Resolution: 1.5.2