CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz

Question

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz

Closed this issue 4 years ago · 0 comments

mend-bolt-for-github commented 4 years ago

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: rollup-mpa/package.json

Path to vulnerable library: rollup-mpa/node_modules/cache-base/package.json

Dependency Hierarchy:

rollup-plugin-sass-1.2.2.tgz (Root Library)
- sass-1.7.2.tgz
  - chokidar-2.1.8.tgz
    - braces-2.3.2.tgz
      - snapdragon-0.8.2.tgz
        
        base-0.11.2.tgz
        
        ❌ cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: d5581a6824f15c5c10bab3c959444ee366e2b10a

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here