FireShort icon indicating copy to clipboard operation
FireShort copied to clipboard

Published 20 hours ago verified publisher icon monizb

CVE-2020-7768 (High) detected in grpc-js-1.1.7.tgz

Open mend-bolt-for-github[bot] opened this issue 4 years ago • 0 comments
trafficstars

CVE-2020-7768 - High Severity Vulnerability

Vulnerable Library - grpc-js-1.1.7.tgz

gRPC Library for Node - pure JS implementation

Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json

Dependency Hierarchy:

  • firebase-7.22.0.tgz (Root Library)
    • firestore-1.17.2.tgz
      • :x: grpc-js-1.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase): 7.22.1-202095155838

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Jan 13 '21 09:01 mend-bolt-for-github[bot]