WS-2019-0381 (Medium) detected in kind-of-6.0.2.tgz
mend-bolt-for-github opened this issue · 0 comments
WS-2019-0381 - Medium Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/import-moltin-to-algolia/package.json
Path to vulnerable library: /tmp/ws-scm/import-moltin-to-algolia/node_modules/kind-of/package.json
Dependency Hierarchy:
- jest-24.8.0.tgz (Root Library)
- jest-cli-24.8.0.tgz
- core-24.8.0.tgz
- micromatch-3.1.10.tgz
- ❌ kind-of-6.0.2.tgz (Vulnerable Library)
- micromatch-3.1.10.tgz
- core-24.8.0.tgz
- jest-cli-24.8.0.tgz
Found in HEAD commit: 96d5036998190b909eb8340eda98b0408660212a
Vulnerability Details
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Publish Date: 2019-12-30
URL: WS-2019-0381
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/kind-of@975c13a
Release Date: 2020-03-18
Fix Resolution: kind-of - 6.0.3
Step up your Open Source Security Game with WhiteSource here