WS-2015-0009 (High) detected in uglify-js-2.2.5.tgz #69

mend-bolt-for-github · 2020-05-01T15:50:51Z

WS-2015-0009 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Path to dependency file: /tmp/ws-scm/curratelo/package.json

Path to vulnerable library: /tmp/ws-scm/curratelo/node_modules/transformers/node_modules/uglify-js/package.json

Dependency Hierarchy:

jade-1.11.0.tgz (Root Library)
- transformers-2.1.0.tgz
  - ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 9d25ffce923d8b5ee8e4d3a66723fb5744328814

Vulnerability Details

Uglify, using the parameter "-c" does not properly minify the js code, resulting in change to the minified code and potentially allowing code execution.

Publish Date: 2015-07-22

URL: WS-2015-0009

CVSS 3 Score Details (8.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS#751

Release Date: 2017-01-31

Fix Resolution: 2.4.24

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label May 1, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WS-2015-0009 (High) detected in uglify-js-2.2.5.tgz #69

WS-2015-0009 (High) detected in uglify-js-2.2.5.tgz #69

mend-bolt-for-github bot commented May 1, 2020

WS-2015-0009 (High) detected in uglify-js-2.2.5.tgz #69

WS-2015-0009 (High) detected in uglify-js-2.2.5.tgz #69

Comments

mend-bolt-for-github bot commented May 1, 2020

WS-2015-0009 - High Severity Vulnerability