CVE-2018-20190 (Medium) detected in node-sass-4.11.0.tgz

[mend-for-github-com]

CVE-2018-20190 - Medium Severity Vulnerability

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-17

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0