SFDX-Data-Move-Utility WS-2017-0421 (High) detected in ws-2.3.1.tgz, ws-1.1.5.tgz

WS-2017-0421 (High) detected in ws-2.3.1.tgz, ws-1.1.5.tgz

Open mend-bolt-for-github[bot] opened this issue 6 years ago • 0 comments

WS-2017-0421 - High Severity Vulnerability

Vulnerable Libraries - ws-2.3.1.tgz, ws-1.1.5.tgz

ws-2.3.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-2.3.1.tgz

Path to dependency file: /react-native-version-check/packages/react-native-version-check-expo/package.json

Path to vulnerable library: /tmp/git/react-native-version-check/packages/react-native-version-check-expo/node_modules/react-devtools-core/node_modules/ws/package.json,/tmp/git/react-native-version-check/packages/react-native-version-check-expo/node_modules/react-devtools-core/node_modules/ws/package.json

Dependency Hierarchy:

react-native-0.48.4.tgz (Root Library)
- react-devtools-core-2.5.2.tgz
  - :x: ws-2.3.1.tgz (Vulnerable Library)

ws-1.1.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz

Path to dependency file: /react-native-version-check/packages/react-native-version-check-expo/package.json

Path to vulnerable library: /tmp/git/react-native-version-check/packages/react-native-version-check/node_modules/ws/package.json,/tmp/git/react-native-version-check/packages/react-native-version-check/node_modules/ws/package.json

Dependency Hierarchy:

react-native-0.48.4.tgz (Root Library)
- :x: ws-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: d52a5161ca4eeb5387c6b83aba1683450896bcd8

Vulnerability Details

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421