tmi.js-1.7.2.tgz: 2 vulnerabilities (highest severity is: 6.1) #54
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/node-fetch/package.json
Found in HEAD commit: a8cd22936288e96dc0853b948c465aedbdd75fe3
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /back/package.json
Path to vulnerable library: /back/node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in HEAD commit: a8cd22936288e96dc0853b948c465aedbdd75fe3
Found in base branch: develop
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (tmi.js): 1.8.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-7.4.3.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.3.tgz
Path to dependency file: /front/package.json
Path to vulnerable library: /front/node_modules/ws/package.json,/back/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: a8cd22936288e96dc0853b948c465aedbdd75fe3
Found in base branch: develop
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the
Sec-Websocket-Protocolheader can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the--max-http-header-size=sizeand/or themaxHeaderSizeoptions.Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (tmi.js): 1.8.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: