WS-2017-0206 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

WS-2017-0206 - Medium Severity Vulnerability

Vulnerable Libraries - brace-expansion-1.1.6.tgz, brace-expansion-1.1.2.tgz

brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/brace-expansion/package.json

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Dependency Hierarchy:

• nodeunit-0.9.5.tgz (Root Library)
  • tap-7.1.2.tgz
    • nyc-7.1.0.tgz
      • glob-7.0.5.tgz
        • minimatch-3.0.2.tgz
          • ❌ brace-expansion-1.1.6.tgz (Vulnerable Library)

brace-expansion-1.1.2.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/minimatch/node_modules/brace-expansion/package.json

Library home page: http://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.2.tgz

Dependency Hierarchy:

• minimatch-2.0.10.tgz (Root Library)
  • ❌ brace-expansion-1.1.2.tgz (Vulnerable Library)

Vulnerability Details

Brace-expansion is a module to support bash-like brace expansion in JavaScript.
For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks.

Publish Date: 2017-04-25

URL: WS-2017-0206

CVSS 2 Score Details (6.2)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: juliangruber/brace-expansion@b133812

Release Date: 2017-04-07

Fix Resolution: Replace or update the following file: index.js

---

Step up your Open Source Security Game with WhiteSource here