CVE-2018-19837 Medium Severity Vulnerability detected by WhiteSource
mend-bolt-for-github opened this issue · 0 comments
CVE-2018-19837 - Medium Severity Vulnerability
Vulnerable Library - libsass3.4.1
A C/C++ implementation of a Sass compiler
Library home page: https://github.com/sass/libsass.git
Library Source Files (72)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
- /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
- /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
- /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
- /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
- /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
- /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
- /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
- /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
- /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
- /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
- /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp
Vulnerability Details
In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.
Publish Date: 2018-12-04
URL: CVE-2018-19837
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19837
Fix Resolution: 3.5.5
Step up your Open Source Security Game with WhiteSource here