Skip to content
This repository has been archived by the owner on Oct 18, 2021. It is now read-only.

CVE-2019-20149 (Medium) detected in multiple libraries #7

Open
mend-for-github-com bot opened this issue Jan 1, 2020 · 0 comments
Open

CVE-2019-20149 (Medium) detected in multiple libraries #7

mend-for-github-com bot opened this issue Jan 1, 2020 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link
Contributor

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Libraries - kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-3.2.2.tgz, kind-of-5.1.0.tgz

kind-of-4.0.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz

Path to dependency file: /finos-deg/website/package.json

Path to vulnerable library: /tmp/git/finos-deg/website/node_modules/has-values/node_modules/kind-of/package.json

Dependency Hierarchy:

  • docusaurus-1.12.0.tgz (Root Library)
    • react-dev-utils-9.0.3.tgz
      • fork-ts-checker-webpack-plugin-1.5.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • cache-base-1.0.1.tgz
                • has-value-1.0.0.tgz
                  • has-values-1.0.0.tgz
                    • kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /finos-deg/website/package.json

Path to vulnerable library: /tmp/git/finos-deg/website/node_modules/kind-of/package.json

Dependency Hierarchy:

  • docusaurus-1.12.0.tgz (Root Library)
    • react-dev-utils-9.0.3.tgz
      • fork-ts-checker-webpack-plugin-1.5.0.tgz
        • micromatch-3.1.10.tgz
          • kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /finos-deg/website/package.json

Path to vulnerable library: /tmp/git/finos-deg/website/node_modules/is-data-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • docusaurus-1.12.0.tgz (Root Library)
    • markdown-toc-1.2.0.tgz
      • list-item-1.1.1.tgz
        • is-number-2.1.0.tgz
          • kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz

Path to dependency file: /finos-deg/website/package.json

Path to vulnerable library: /tmp/git/finos-deg/website/node_modules/is-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • docusaurus-1.12.0.tgz (Root Library)
    • react-dev-utils-9.0.3.tgz
      • fork-ts-checker-webpack-plugin-1.5.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • define-property-0.2.5.tgz
              • is-descriptor-0.1.6.tgz
                • kind-of-5.1.0.tgz (Vulnerable Library)

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available
@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Jan 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants