CVE-2019-10196 (High) detected in http-proxy-agent-1.0.0.tgz

Question

CVE-2019-10196 (High) detected in http-proxy-agent-1.0.0.tgz

Closed this issue 4 years ago · 0 comments

mend-bolt-for-github commented 4 years ago

CVE-2019-10196 - High Severity Vulnerability

Vulnerable Library - http-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTP

Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-1.0.0.tgz

Path to dependency file: gulp-fontiran/package.json

Path to vulnerable library: gulp-fontiran/node_modules/popsicle-proxy-agent/node_modules/http-proxy-agent/package.json

Dependency Hierarchy:

typings-2.1.1.tgz (Root Library)
- typings-core-2.3.3.tgz
  - popsicle-proxy-agent-3.0.0.tgz
    - ❌ http-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 12230c8be6173c2ba71e89abbb756f06f2775834

Found in base branch: master

Vulnerability Details

Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer

Publish Date: 2020-07-21

URL: CVE-2019-10196

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/607

Release Date: 2020-07-21

Fix Resolution: 2.1.0

Step up your Open Source Security Game with WhiteSource here