New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
morgan-1.6.1.tgz: 3 vulnerabilities (highest severity is: 9.8) #57
Comments
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Vulnerable Library - morgan-1.6.1.tgz
HTTP request logger middleware for node.js
Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/morgan/package.json
Found in HEAD commit: 87fc5d0e5a20689c3f4107612103a3e5384d0712
Vulnerabilities
Details
CVE-2019-5413
Vulnerable Library - morgan-1.6.1.tgz
HTTP request logger middleware for node.js
Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/morgan/package.json
Dependency Hierarchy:
Found in HEAD commit: 87fc5d0e5a20689c3f4107612103a3e5384d0712
Found in base branch: main
Vulnerability Details
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
Publish Date: 2019-03-21
URL: CVE-2019-5413
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/390881
Release Date: 2019-10-09
Fix Resolution: 1.9.1
⛑️ Automatic Remediation is available for this issue
CVE-2017-16137
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/morgan/node_modules/debug/package.json,/node_modules/method-override/node_modules/debug/package.json,/node_modules/mquery/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 87fc5d0e5a20689c3f4107612103a3e5384d0712
Found in base branch: main
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (morgan): 1.9.0
⛑️ Automatic Remediation is available for this issue
WS-2017-0247
Vulnerable Library - ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mongoose/node_modules/ms/package.json,/node_modules/method-override/node_modules/ms/package.json,/node_modules/morgan/node_modules/ms/package.json,/node_modules/mquery/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: 87fc5d0e5a20689c3f4107612103a3e5384d0712
Found in base branch: main
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (morgan): 1.8.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: