You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /site-landing/package.json
Path to vulnerable library: /node_modules/gatsby/package.json
Dependency Hierarchy:
❌ gatsby-2.3.14.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop). Any file in scope of the development server could potentially be exposed. It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
CVE-2023-34238 - Medium Severity Vulnerability
Vulnerable Library - gatsby-2.3.14.tgz
Blazing fast modern site generator for React
Library home page: https://registry.npmjs.org/gatsby/-/gatsby-2.3.14.tgz
Path to dependency file: /site-landing/package.json
Path to vulnerable library: /node_modules/gatsby/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the
__file-code-frame
and__original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
). Any file in scope of the development server could potentially be exposed. It should be noted that by defaultgatsby develop
is only accessible via the localhost127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as--host 0.0.0.0
,-H 0.0.0.0
, or theGATSBY_HOST=0.0.0.0
environment variable. A patch has been introduced ingatsby@5.9.1
andgatsby@4.25.7
which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.Publish Date: 2023-06-08
URL: CVE-2023-34238
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-c6f8-8r25-c4gc
Release Date: 2023-06-08
Fix Resolution: 2.4.0-0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: