WS-2013-0003 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

WS-2013-0003 - Medium Severity Vulnerability

Vulnerable Library - connect-2.1.3.tgz

High performance middleware framework

path: /MS_Demo/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json

Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz

Dependency Hierarchy:

• ❌ connect-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 23068bfa8fba8e934988efafc64fa2cf0fdb8462

Vulnerability Details

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.

Publish Date: 2013-07-01

URL: WS-2013-0003

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting

Release Date: 2013-07-01

Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.

---

Step up your Open Source Security Game with WhiteSource here