WS-2017-0266 (Low) detected in http-signature-0.10.1.tgz - autoclosed

[mend-for-github-com]

WS-2017-0266 - Low Severity Vulnerability

Vulnerable Library - http-signature-0.10.1.tgz

Reference implementation of Joyent's HTTP Signature scheme.

Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/zaproxy/node_modules/http-signature/package.json

Dependency Hierarchy:

• zaproxy-0.2.0.tgz (Root Library)
  • request-2.36.0.tgz
    • ❌ http-signature-0.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 188e122d80d495bec287ef3a4b998484fb9167b4

Found in base branch: master

Vulnerability Details

http-signature before version 1.0.0 are vulnerable to timing attack, which may lead to information disclosure.

Publish Date: 2015-01-22

URL: WS-2017-0266

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: TritonDataCenter/node-http-signature#36

Release Date: 2015-01-22

Fix Resolution: 1.0.0

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.