CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz #128
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2018-1109 - High Severity Vulnerability
braces-1.8.5.tgz
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: t-vault/tvaultui/package.json
Path to vulnerable library: t-vault/tvaultui/node_modules/braces/package.json
Dependency Hierarchy:
braces-0.1.5.tgz
Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)
Library home page: https://registry.npmjs.org/braces/-/braces-0.1.5.tgz
Path to dependency file: t-vault/tvaultui/package.json
Path to vulnerable library: t-vault/tvaultui/node_modules/expand-braces/node_modules/braces/package.json
Dependency Hierarchy:
Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.
Publish Date: 2020-07-21
URL: CVE-2018-1109
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272
Release Date: 2020-07-21
Fix Resolution: 2.3.1
The text was updated successfully, but these errors were encountered: