Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2020-7753 (High) detected in trim-0.0.1.tgz #55

Open
mend-bolt-for-github bot opened this issue Dec 27, 2020 · 5 comments · Fixed by #85, #90, #87 or #7
Open

CVE-2020-7753 (High) detected in trim-0.0.1.tgz #55

mend-bolt-for-github bot opened this issue Dec 27, 2020 · 5 comments · Fixed by #85, #90, #87 or #7
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link

mend-bolt-for-github bot commented Dec 27, 2020
edited
Loading

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /deps/npm/docs/package.json

Path to vulnerable library: /deps/npm/docs/package.json,/tools/doc/node_modules/trim/package.json

Dependency Hierarchy:

  • remark-parse-5.0.0.tgz (Root Library)
    • trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 00fdb00d5bdbaea4fec4642989374d82cbdb1a3c

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution (trim): 0.0.3

Direct dependency fix Resolution (remark-parse): 9.0.0

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 27, 2020
@mend-bolt-for-github
Copy link
Author

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-7753 (High) detected in trim-0.0.1.tgz CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed Mar 31, 2021
@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed CVE-2020-7753 (High) detected in trim-0.0.1.tgz Jun 28, 2021
@mend-bolt-for-github
Copy link
Author

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed CVE-2020-7753 (High) detected in trim-0.0.1.tgz Jun 28, 2021
@mend-bolt-for-github
Copy link
Author

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-7753 (High) detected in trim-0.0.1.tgz CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed Apr 21, 2023
@mend-bolt-for-github
Copy link
Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed CVE-2020-7753 (High) detected in trim-0.0.1.tgz Apr 26, 2023
@mend-bolt-for-github
Copy link
Author

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
0 participants