WS-2022-0280 (Critical) detected in multiple libraries #265
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2022-0280 - Critical Severity Vulnerability
moment-timezone-0.5.33.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.33.tgz
Path to dependency file: /aws-node-typescript-nest/package.json
Path to vulnerable library: /aws-node-typescript-nest/node_modules/moment-timezone/package.json
Dependency Hierarchy:
moment-timezone-0.5.34.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.34.tgz
Path to dependency file: /aws-node-http-api-dynamodb-local/package.json
Path to vulnerable library: /aws-node-http-api-dynamodb-local/node_modules/moment-timezone/package.json,/aws-node-http-api-typescript/node_modules/moment-timezone/package.json,/openwhisk-node-simple-http-endpoint/node_modules/moment-timezone/package.json,/aws-node-rest-api-with-dynamodb-and-offline/node_modules/moment-timezone/package.json,/aws-node-rest-api-typescript-simple/node_modules/moment-timezone/package.json
Dependency Hierarchy:
moment-timezone-0.5.31.tgz
Parse and display moments in any timezone.
Library home page: https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.31.tgz
Path to dependency file: /aws-node-typescript-apollo-lambda/package.json
Path to vulnerable library: /aws-node-typescript-apollo-lambda/node_modules/moment-timezone/package.json,/azure-node-typescript-servicebus-trigger-endpoint/node_modules/moment-timezone/package.json
Dependency Hierarchy:
Found in base branch: master
Command Injection in moment-timezone before 0.5.35.
Publish Date: 2024-11-03
URL: WS-2022-0280
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-56x4-j7p9-fcf9
Release Date: 2024-11-03
Fix Resolution (moment-timezone): 0.5.35
Direct dependency fix Resolution (serverless-offline): 7.1.0
Fix Resolution (moment-timezone): 0.5.35
Direct dependency fix Resolution (serverless-offline): 6.9.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: