Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-mg85-8mv5-ffjr (High) detected in ammo - autoclosed #1058

Closed
tmarkley opened this issue Dec 30, 2021 · 2 comments
Closed

GHSA-mg85-8mv5-ffjr (High) detected in ammo - autoclosed #1058

tmarkley opened this issue Dec 30, 2021 · 2 comments

Comments

@tmarkley
Copy link
Contributor

GHSA-mg85-8mv5-ffjr - High Severity Vulnerability

⚠️ Vulnerable Libraries: [email protected]

Dependency Hierarchy

$ npm ls ammo
[email protected] /home/ubuntu/ws/OpenSearch-Dashboards
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
  └── [email protected] deduped

$ yarn why ammo
yarn why v1.22.17
[1/4] Why do we have the module "ammo"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~3.7.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#hapi" depends on it
   - Hoisted from "_project_#hapi#ammo"
   - Hoisted from "_project_#inert#ammo"
info Disk size without dependencies: "24KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 1
Done in 1.94s.

Found in base branch: main

🕵️ Vulnerability Details

Description

All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Publish Date

2020-02-17

URL

https://security.snyk.io/vuln/SNYK-JS-AMMO-548920

🎯 CVSS 3 Score Details (7.5)

Scores

Base: 7.5
Exploitability: N/A
Impact: N/A
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability Metrics

Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S)
Network (AV:N) Low (AC:L) None (PR:N) None (UI:N) Unchanged (S:U)

Impact Metrics

Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)
None (C:N) None (I:N) High (A:H)

🔧 Suggested Fix

How to fix?

This package is deprecated and is now maintained as @hapi/ammo. Please update your dependencies to use @hapi/ammo.

Origin

GHSA-mg85-8mv5-ffjr
@tmarkley tmarkley added Mend: dependency security vulnerability Security vulnerability detected by Mend high severity High severity CVE labels Dec 30, 2021
@mend-for-github-com mend-for-github-com bot changed the title GHSA-mg85-8mv5-ffjr (High) detected in ammo GHSA-mg85-8mv5-ffjr (High) detected in ammo - autoclosed Jan 4, 2022
@mend-for-github-com
Copy link

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

@tmarkley tmarkley added cve Security vulnerabilities detected by Dependabot or Mend v2.0.0 labels Jan 6, 2022
@tmarkley
Copy link
Contributor Author

Replaced with #1090

@tmarkley tmarkley removed v2.0.0 Mend: dependency security vulnerability Security vulnerability detected by Mend high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 13, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@akashgp09
build: remove unused dev-dependencies (opensearch-project#1058)
1e96872
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tmarkley