npm-install-all-1.1.21.tgz: 1 vulnerabilities (highest severity is: 6.5) #52
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
dev-mend-for-github-com
bot
added
the
security vulnerability
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory. |
dev-mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
dev-mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /start-git/package.json
Path to vulnerable library: /start-git/node_modules/sync-exec/package.json
Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3
Vulnerabilities
Details
Vulnerable Library - sync-exec-0.6.2.tgz
Synchronous exec with status code support. Requires no external dependencies, no need for node-gyp compilations etc.
Library home page: https://registry.npmjs.org/sync-exec/-/sync-exec-0.6.2.tgz
Path to dependency file: /start-git/package.json
Path to vulnerable library: /start-git/node_modules/sync-exec/package.json
Dependency Hierarchy:
Found in HEAD commit: fe409ca2bb6102addf56e0caf3b48bb9726d71f3
Found in base branch: master
Vulnerability Details
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
Publish Date: 2018-06-04
URL: CVE-2017-16024
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16024
Release Date: 2018-06-04
Fix Resolution: no_fix
The text was updated successfully, but these errors were encountered: