codemirror-5.27.4.js: 1 vulnerabilities (highest severity is: 7.5)

Question

Closed this issue 5 months ago · 0 comments

Vulnerable Library - codemirror-5.27.4.js

In-browser code editing made bearable

Path to vulnerable library: /laokou-cloud/laokou-register/src/main/resources/static/console-ui/public/js/codemirror.js

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (codemirror version)	Remediation Possible**
CVE-2020-7760	High	7.5	codemirror-5.27.4.js	Direct	codemirror - 5.58.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

In-browser code editing made bearable

Path to vulnerable library: /laokou-cloud/laokou-register/src/main/resources/static/console-ui/public/js/codemirror.js

Dependency Hierarchy:

Found in base branch: master

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

Publish Date: 2020-10-30

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Type: Upgrade version

Release Date: 2020-10-30

Fix Resolution: codemirror - 5.58.2

Step up your Open Source Security Game with Mend here