WS-2018-0096 (High) detected in base64url-2.0.0.tgz #106
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2018-0096 - High Severity Vulnerability
For encoding to/from base64urls
Library home page: https://registry.npmjs.org/base64url/-/base64url-2.0.0.tgz
Path to dependency file: kienba/functions/package.json
Path to vulnerable library: kienba/functions/node_modules/base64url/package.json
Dependency Hierarchy:
Found in HEAD commit: 349a6dfbfb7b20744f0a39328207f91148a57fa6
Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Publish Date: 2018-05-16
URL: WS-2018-0096
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://hackerone.com/reports/321687
Release Date: 2019-01-24
Fix Resolution: 3.0.0
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: