WS-2017-0247 (Low) detected in ms-0.7.1.tgz, ms-0.6.2.tgz - autoclosed #22
Description
WS-2017-0247 - Low Severity Vulnerability
Vulnerable Libraries - ms-0.7.1.tgz, ms-0.6.2.tgz
ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: rzr-example/reveal.js-master/plugin/multiplex/package.json
Path to vulnerable library: rzr-example/reveal.js-master/plugin/multiplex/node_modules/ms/package.json,rzr-example/reveal.js-master/plugin/multiplex/node_modules/ms/package.json
Dependency Hierarchy:
- express-4.13.4.tgz (Root Library)
- debug-2.2.0.tgz
- ❌ ms-0.7.1.tgz (Vulnerable Library)
- debug-2.2.0.tgz
ms-0.6.2.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: rzr-example/reveal.js-master/package.json
Path to vulnerable library: rzr-example/reveal.js-master/node_modules/socket.io/node_modules/ms/package.json,rzr-example/reveal.js-master/node_modules/socket.io/node_modules/ms/package.json
Dependency Hierarchy:
- socket.io-1.3.7.tgz (Root Library)
- debug-2.1.0.tgz
- ❌ ms-0.6.2.tgz (Vulnerable Library)
- debug-2.1.0.tgz
Found in HEAD commit: 4af952fa68247806023dc354049f8d5fb2778603
Found in base branch: master
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here