WS-2019-0063 (High) detected in js-yaml-3.7.0.tgz - autoclosed

Question

WS-2019-0063 (High) detected in js-yaml-3.7.0.tgz - autoclosed

mend-for-github-com opened this issue 4 years ago · 1 comments

mend-for-github-com commented 4 years ago

WS-2019-0063 - High Severity Vulnerability

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Dependency Hierarchy:

css-loader-0.28.11.tgz (Root Library)
- cssnano-3.10.0.tgz
  - postcss-svgo-2.1.6.tgz
    - svgo-0.7.2.tgz
      - ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

Answer 1 · 2022-05-27T06:06:05.000Z

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.