finos/cla-bot

WS-2018-0209 (Medium) detected in morgan-1.5.3.tgz

Closed this issue · 0 comments

mend-for-github-com commented

WS-2018-0209 - Medium Severity Vulnerability

Vulnerable Library - morgan-1.5.3.tgz

HTTP request logger middleware for node.js

Library home page: https://registry.npmjs.org/morgan/-/morgan-1.5.3.tgz

Path to dependency file: /tmp/ws-scm/cla-bot/package.json

Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/morgan/package.json

Dependency Hierarchy:

  • express-3.20.3.tgz (Root Library)
    • connect-2.29.2.tgz
      • morgan-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb

Vulnerability Details

Morgan before 1.9.1 is vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.

Publish Date: 2018-11-25

URL: WS-2018-0209

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/735

Release Date: 2019-04-08

Fix Resolution: 1.9.1