CVE-2023-34238 (Medium) detected in gatsby-2.23.20.tgz

[mend-bolt-for-github]

CVE-2023-34238 - Medium Severity Vulnerability

Vulnerable Library - gatsby-2.23.20.tgz

Blazing fast modern site generator for React

Library home page: https://registry.npmjs.org/gatsby/-/gatsby-2.23.20.tgz

Path to dependency file: /deps/npm/docs/package.json

Path to vulnerable library: /deps/npm/docs/package.json

Dependency Hierarchy:

• ❌ gatsby-2.23.20.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop). Any file in scope of the development server could potentially be exposed. It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.

Publish Date: 2023-06-08

URL: CVE-2023-34238

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c6f8-8r25-c4gc

Release Date: 2023-06-08

Fix Resolution: 4.25.7

---

Step up your Open Source Security Game with Mend here