CVE-2024-1899 (Medium) detected in showdown-2.1.0.tgz

[mend-for-github-com]

CVE-2024-1899 - Medium Severity Vulnerability

Vulnerable Library - showdown-2.1.0.tgz

A Markdown to HTML converter written in Javascript

Library home page: https://registry.npmjs.org/showdown/-/showdown-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ showdown-2.1.0.tgz (Vulnerable Library)

Found in HEAD commit: a8118062a4f94961a9234ac9e7347750199ee23f

Found in base branch: main

Vulnerability Details

An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions.

Publish Date: 2024-02-26

URL: CVE-2024-1899

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[andrross]

Catch All Triage - 1, 2, 3, 4

@joshuali925 Can you take a look?