alpersonalwebsite/private-blockchain

CVE-2020-8116 (Medium) detected in dot-prop-4.2.0.tgz

Closed this issue · 0 comments

mend-bolt-for-github commented

CVE-2020-8116 - Medium Severity Vulnerability

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/private-blockchain/package.json

Path to vulnerable library: /tmp/ws-scm/private-blockchain/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • nodemon-1.19.4.tgz (Root Library)
    • update-notifier-2.5.0.tgz
      • configstore-3.1.2.tgz
        • dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 15fde7fe315c39577ff4229be3259e8a240fbd51

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Step up your Open Source Security Game with WhiteSource here