You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy:
mongoose-1.0.2.tgz (Root Library)
❌ flat-4.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Vulnerable Library - mongoose-1.0.2.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Vulnerabilities
Details
CVE-2020-36632
Vulnerable Library - flat-4.1.0.tgz
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys
Library home page: https://registry.npmjs.org/flat/-/flat-4.1.0.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
Publish Date: 2022-12-25
URL: CVE-2020-36632
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-2j2x-2gpw-g8fm
Release Date: 2022-12-25
Fix Resolution (flat): 4.1.1
Direct dependency fix Resolution (@admin-bro/mongoose): 1.1.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: