-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core-7.4.4.tgz: 2 vulnerabilities (highest severity is: 6.1) #1906
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Feb 19, 2022
mend-bolt-for-github
bot
changed the title
core-7.4.4.tgz: 1 vulnerabilities (highest severity is: 6.1)
core-7.4.4.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed
Jun 28, 2022
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-bolt-for-github
bot
changed the title
core-7.4.4.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed
core-7.4.4.tgz: 1 vulnerabilities (highest severity is: 6.1)
Dec 9, 2022
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-bolt-for-github
bot
changed the title
core-7.4.4.tgz: 1 vulnerabilities (highest severity is: 6.1)
core-7.4.4.tgz: 2 vulnerabilities (highest severity is: 6.1)
Mar 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
0 participants
Vulnerable Library - core-7.4.4.tgz
Nest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-7.4.4.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-0235
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-26108
Vulnerable Library - core-7.4.4.tgz
Nest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-7.4.4.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
Publish Date: 2023-03-06
URL: CVE-2023-26108
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26108
Release Date: 2023-03-06
Fix Resolution: 9.0.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: