CVE-2013-7371 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2013-7371 - Medium Severity Vulnerability

Vulnerable Library - connect-2.1.3.tgz

High performance middleware framework

path: /MS_Demo/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json

Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz

Dependency Hierarchy:

• ❌ connect-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 23068bfa8fba8e934988efafc64fa2cf0fdb8462

Vulnerability Details

The "methodOverride" middleware in Connect before 2.8.1 allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.

Publish Date: 2014-04-21

URL: CVE-2013-7371

CVSS 2 Score Details (4.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/3

Release Date: 2013-07-01

Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.

---

Step up your Open Source Security Game with WhiteSource here