operatorfabric-core
operatorfabric-core copied to clipboard
opfab
CVE-2024-21538 (High) detected in cross-spawn-7.0.3.tgz
CVE-2024-21538 - High Severity Vulnerability
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /cli/src/package.json
Path to vulnerable library: /cli/src/package.json
Dependency Hierarchy:
- tar-7.4.3.tgz (Root Library)
- minizlib-3.0.1.tgz
- rimraf-5.0.7.tgz
- glob-10.4.1.tgz
- foreground-child-3.2.1.tgz
- :x: cross-spawn-7.0.3.tgz (Vulnerable Library)
- foreground-child-3.2.1.tgz
- glob-10.4.1.tgz
- rimraf-5.0.7.tgz
- minizlib-3.0.1.tgz
Found in base branch: develop
Vulnerability Details
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: org.webjars.npm:cross-spawn:6.0.6
Step up your Open Source Security Game with Mend here
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "Published by a pub.dev verified publisher"){kind=small}