WS-2018-0072 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

WS-2018-0072 - High Severity Vulnerability

Vulnerable Libraries - https-proxy-agent-2.1.1.tgz, https-proxy-agent-1.0.0.tgz

https-proxy-agent-2.1.1.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

path: /tmp/git/angularjs-sample/node_modules/npm/node_modules/npm-profile/node_modules/make-fetch-happen/node_modules/https-proxy-agent/package.json

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.1.1.tgz

Dependency Hierarchy:

• npm-5.7.1.tgz (Root Library)
  • npm-profile-3.0.1.tgz
    • make-fetch-happen-2.6.0.tgz
      • ❌ https-proxy-agent-2.1.1.tgz (Vulnerable Library)

https-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

path: /tmp/git/angularjs-sample/node_modules/https-proxy-agent/package.json

Library home page: http://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz

Dependency Hierarchy:

• karma-2.0.0.tgz (Root Library)
  • log4js-2.5.3.tgz
    • mailgun-js-0.7.15.tgz
      • proxy-agent-2.0.0.tgz
        • ❌ https-proxy-agent-1.0.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().

Publish Date: 2018-04-25

URL: WS-2018-0072

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/593

Release Date: 2018-01-27

Fix Resolution: 2.2.0

---

Step up your Open Source Security Game with WhiteSource here