100DaysOfCode icon indicating copy to clipboard operation
100DaysOfCode copied to clipboard

Published 20 hours ago verified publisher icon b-tomi

CVE-2018-11694 (Medium) detected in node-sass-4.14.1.tgz

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 0 comments

CVE-2018-11694 - Medium Severity Vulnerability

Vulnerable Library - node-sass-4.14.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.1.tgz

Path to dependency file: /day59/package.json

Path to vulnerable library: /day59/package.json,/day60/package.json

Dependency Hierarchy:

  • gulp-sass-4.1.0.tgz (Root Library)
    • :x: node-sass-4.14.1.tgz (Vulnerable Library)

Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Jan 15 '22 05:01 mend-bolt-for-github[bot]