Skip to content

WS-2018-0590 (High) detected in diff-1.4.0.tgz - autoclosed #52

New issue
New issue
Closed
Closed
WS-2018-0590 (High) detected in diff-1.4.0.tgz - autoclosed#52
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 18, 2019

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /justapis-javascript-sdk/package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 3ca192403e92db3173fd513bbb67c49050b748e7

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution: 3.5.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions