CVE-2019-20149 (Medium) detected in multiple libraries #14

mend-bolt-for-github · 2020-01-31T05:27:50Z

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-2.0.1.tgz, kind-of-5.1.0.tgz

kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /tmp/ws-scm/myReads/package.json

Path to vulnerable library: /tmp/ws-scm/myReads/node_modules/kind-of/package.json

Dependency Hierarchy:

react-scripts-3.3.1.tgz (Root Library)
- webpack-4.3.3.tgz
  - plugin-svgo-4.3.1.tgz
    - merge-deep-3.0.2.tgz
      - ❌ kind-of-3.2.2.tgz (Vulnerable Library)

kind-of-4.0.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz

Path to dependency file: /tmp/ws-scm/myReads/package.json

Path to vulnerable library: /tmp/ws-scm/myReads/node_modules/has-values/node_modules/kind-of/package.json

Dependency Hierarchy:

react-scripts-3.3.1.tgz (Root Library)
- webpack-4.41.5.tgz
  - micromatch-3.1.10.tgz
    - snapdragon-0.8.2.tgz
      - base-0.11.2.tgz
        
        cache-base-1.0.1.tgz
        
        has-value-1.0.0.tgz
        
        has-values-1.0.0.tgz
        
        ❌ kind-of-4.0.0.tgz (Vulnerable Library)

kind-of-2.0.1.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-2.0.1.tgz

Path to dependency file: /tmp/ws-scm/myReads/package.json

Path to vulnerable library: /tmp/ws-scm/myReads/node_modules/shallow-clone/node_modules/kind-of/package.json

Dependency Hierarchy:

react-scripts-3.3.1.tgz (Root Library)
- webpack-4.3.3.tgz
  - plugin-svgo-4.3.1.tgz
    - merge-deep-3.0.2.tgz
      - clone-deep-0.2.4.tgz
        
        shallow-clone-0.1.2.tgz
        
        ❌ kind-of-2.0.1.tgz (Vulnerable Library)

kind-of-5.1.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz

Path to dependency file: /tmp/ws-scm/myReads/package.json

Path to vulnerable library: /tmp/ws-scm/myReads/node_modules/is-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

react-scripts-3.3.1.tgz (Root Library)
- webpack-4.41.5.tgz
  - micromatch-3.1.10.tgz
    - snapdragon-0.8.2.tgz
      - define-property-0.2.5.tgz
        
        is-descriptor-0.1.6.tgz
        
        ❌ kind-of-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e20ef7c8f1390af826b02497e2f5afa0ae3414e8

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Jan 31, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2019-20149 (Medium) detected in multiple libraries #14

CVE-2019-20149 (Medium) detected in multiple libraries #14

mend-bolt-for-github bot commented Jan 31, 2020

CVE-2019-20149 (Medium) detected in multiple libraries #14

CVE-2019-20149 (Medium) detected in multiple libraries #14

Comments

mend-bolt-for-github bot commented Jan 31, 2020

CVE-2019-20149 - Medium Severity Vulnerability