WS-2019-0307 (Medium) detected in mem-3.0.1.tgz

Question

WS-2019-0307 (Medium) detected in mem-3.0.1.tgz

Closed this issue 4 years ago · 0 comments

mend-bolt-for-github commented 4 years ago

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-3.0.1.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz

Path to dependency file: /tmp/ws-scm/azlint/components/node/package.json

Path to vulnerable library: /tmp/ws-scm/azlint/components/node/node_modules/mem/package.json

Dependency Hierarchy:

eclint-2.8.1.tgz (Root Library)
- gulp-reporter-2.10.0.tgz
  - in-gfw-1.2.0.tgz
    - ❌ mem-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 204d9f28366e1f23672e27afcf9a70813b35b022

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Step up your Open Source Security Game with WhiteSource here